Re: t0rn v8

To: Debian-Users List <debian-user@lists.debian.org>
Cc: Stephen Gran <gashuffer09@home.com>
Subject: Re: t0rn v8
From: Stephen Gran <gashuffer09@home.com>
Date: Mon, 3 Dec 2001 16:47:52 -0500
Message-id: <[🔎] 20011203164752.B2547@gashuffer>
Mail-followup-to: Stephen Gran <gashuffer09@home.com>, Debian-Users List <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20011203163008.A2547@gashuffer>
References: <[🔎] 20011203163008.A2547@gashuffer>

Thus spake Stephen Gran:
> Hello all,
> While running chkrootkit, I got this message (among a bunch of others
> saying nothing found):
> 
> Searching for t0rn's default files and dirs... nothing found
> Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation)
> rootkit installed
> 
> and 
> 
> Searching for suspicious files and dirs, it may take a while... 
> /usr/lib/xemacs-21.4.1/lisp/.cvsignore
> /usr/lib/j2re1.3/bin/.java_wrapper
> 
> How bad is this - should I panic at this point?  Looking at some
> information online, although it is not as exhaustive as I would like,
> it seems that the commonest way to deal with this is to reinstall.  I
> would love to hear of a different option, if anyone has one.  
> Looking forward to hearing from you all,
> Steve
Sorry, bad form to have to reply rather than include the info in th
original message, but hindsight and all that.  A few things I have
done to try to see if t0rn is in fact present:
lsof|grep LISTEN:
portmap    273      root    4u  IPv4        303               TCP *:sunrpc (LISTEN)
rpc.statd  277      root    5u  IPv4        418               TCP *:32768 (LISTEN)
inetd      286      root    6u  IPv4        424               TCP *:smtp (LISTEN)
inetd      286      root    7u  IPv4        425               TCP *:auth (LISTEN)
cupsd      289      root    0u  IPv4        692               TCP *:ipp (LISTEN)
sshd       306      root    3u  IPv4        566               TCP *:ssh (LISTEN)
Sorry about the bad wrap ; )

and lsof|grep -i t0rn:
No results.

nmap localhost:
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1544 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
25/tcp     open        smtp                    
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
631/tcp    open        cups


It looks like it may not be as bad as I feared, but any other ways to
trace this down?  I am running the bastille-firewall, which does a
sort of ipchains-like filtering, although I think I am going to be
migrating soon to ipchains itself - just doing the background reading.
I had hoped to not worry so much about viruses and worms and such
after switching over from MS about a year ago, but I guess that's the
problem with an always on connection.  Ah well,
TIA for any advice/ideas,
Steve
-- 
If we spoke a different language, we would perceive a somewhat different world.
		-- Wittgenstein

Attachment: pgp8xt6LGnAp5.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: t0rn v8
  - From: Neil Booth <neil@daikokuya.demon.co.uk>

References:
- t0rn v8
  - From: Stephen Gran <gashuffer09@home.com>

Prev by Date: Re: DVD player
Next by Date: Re: t0rn v8
Previous by thread: t0rn v8
Next by thread: Re: t0rn v8
Index(es):
- Date
- Thread