Re: t0rn v8

Mon, 03 Dec 2001 15:48:30 -0600 

Thus spake Stephen Gran:
> Hello all,
> While running chkrootkit, I got this message (among a bunch of others
> saying nothing found):
> 
> Searching for t0rn's default files and dirs... nothing found
> Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation)
> rootkit installed
> 
> and 
> 
> Searching for suspicious files and dirs, it may take a while... 
> /usr/lib/xemacs-21.4.1/lisp/.cvsignore
> /usr/lib/j2re1.3/bin/.java_wrapper
> 
> How bad is this - should I panic at this point?  Looking at some
> information online, although it is not as exhaustive as I would like,
> it seems that the commonest way to deal with this is to reinstall.  I
> would love to hear of a different option, if anyone has one.  
> Looking forward to hearing from you all,
> Steve
Sorry, bad form to have to reply rather than include the info in th
original message, but hindsight and all that.  A few things I have
done to try to see if t0rn is in fact present:
lsof|grep LISTEN:
portmap    273      root    4u  IPv4        303               TCP *:sunrpc 
(LISTEN)
rpc.statd  277      root    5u  IPv4        418               TCP *:32768 
(LISTEN)
inetd      286      root    6u  IPv4        424               TCP *:smtp 
(LISTEN)
inetd      286      root    7u  IPv4        425               TCP *:auth 
(LISTEN)
cupsd      289      root    0u  IPv4        692               TCP *:ipp (LISTEN)
sshd       306      root    3u  IPv4        566               TCP *:ssh (LISTEN)
Sorry about the bad wrap ; )

and lsof|grep -i t0rn:
No results.

nmap localhost:
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1544 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
25/tcp     open        smtp                    
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
631/tcp    open        cups


It looks like it may not be as bad as I feared, but any other ways to
trace this down?  I am running the bastille-firewall, which does a
sort of ipchains-like filtering, although I think I am going to be
migrating soon to ipchains itself - just doing the background reading.
I had hoped to not worry so much about viruses and worms and such
after switching over from MS about a year ago, but I guess that's the
problem with an always on connection.  Ah well,
TIA for any advice/ideas,
Steve
-- 
If we spoke a different language, we would perceive a somewhat different world.
                -- Wittgenstein

Attachment: pgpHaH19keswS.pgp
Description: PGP signature

Reply via email to