[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Port 1045 Rasmin
- Subject: RE: [cobalt-users] Port 1045 Rasmin
- From: "Gavin Nelmes-Crocker" <cobalt@xxxxxxxxxxxxxxxx>
- Date: Tue Nov 19 08:33:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> We just installed our first RAQ 550 and users complain that they are
> getting alerts from their firewall that the Rasmin trojan (mIRCPlus) is
> attempting a connection from our RAQ server (see message below).
>
> Has anyone else experienced the same? If it is indeed a trojan, does
> anyone know how it could get onto the RAQ, and more important, how can
> we remove the trojan?
Ok if it is on the server that is very unlucky - obvious question is the RaQ
patched up to date?
next is it on there or not - wander over to www.chkroot.org take a look to
see if it detects this trojan and then if it does do the following
SSH into RaQ
su -
{enter password}
mkdir /home/tools
cd tools
wget {the link for the tar file}
tar xvfz {the tar file}
cd chkroot-version
make sense
after a small amount of stuff on the screen as it compiles you can then do
./chkrootkit and it will run its checks telling you what it finds -
hopefully it finds nothing and you will need to look elsewhere as to why
your users are getting this message.
for security now that you have chkrootkit on the server it would be nice to
run it every day and email the results to you just drop a small shell script
into /etc/cron.daily to run the chkrootkit in /home/tools/chkrootkit and put
the |mail at the end.
Hope this helps
While your at it would be wise to look at installing logcheck or tripwire
as well.
Regards
Gavin