[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: please read: very odd network traffic

* P Kirk (patrick@enterprise-hr.com) [010807 12:32]:
> Saw something similiar in a FreeBSD box once.  It was a trojan ftp
> daemon that started off some obscure user like sysgetty or some other
> "official" looking name.  The RAID had 36 gigs of mp3s and porn.
> You might want to backup your data and reinstall if no-one has a more
> knowledgable answer.
> In the meantime there's no need to disconnect from the net.  Just have a
> rolling kill command that kills ftpd every second. I don't have shell

No offense intended, but this is some of the WORST advice I've heard on
this list to date.

If you fear you may have been compromised, by all means, and for the
love of us all, unplug your network cable at once. If for no other
reason than this: Your system could possibly be launching attacks at
other systems unbeknownst to you, for which you can be held legally and
financially accountable.

Unplug it NOW, and start doing some digging to find out what's really
going on. If you find modified binaries, etc. the easiest way to recover
(IMHO) is to reinstall and restore your (verified clean) data from

Running a script to repeatedly kill the process will only burn your CPU
cycles; if indeed the process is "Respawning because it's a trojan" the
reality of the situation is that other things on your system have been
tampered with. If there's some recurring process (via cron or something)
that restarts the app, a better (but still bad) idea would be to stop
that cron job. IMO, the only acceptable course of action is to pull your
cables and get down and dirty with some forensics.


Attachment: pgpx9iNJf7A7n.pgp
Description: PGP signature

Reply to: