[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Port 1045 Rasmin

Please Help me with this script . . .  What is in it OR how is it
written.

John


Gavin Nelmes-Crocker wrote:
> 
> > We just installed our first RAQ 550 and users complain that they are
> > getting alerts from their firewall that the Rasmin trojan (mIRCPlus) is
> > attempting a connection from our RAQ server (see message below).
> >
> > Has anyone else experienced the same? If it is indeed a trojan, does
> > anyone know how it could get onto the RAQ, and more important, how can
> > we remove the trojan?
> 
> Ok if it is on the server that is very unlucky - obvious question is the RaQ
> patched up to date?
> 
> next is it on there or not - wander over to www.chkroot.org take a look to
> see if it detects this trojan and then if it does do the following
> 
> SSH into RaQ
> su -
> {enter  password}
> mkdir /home/tools
> cd tools
> wget {the link for the tar file}
> tar xvfz {the tar file}
> cd chkroot-version
> make sense
> 
> after a small amount of stuff on the screen as it compiles you can then do
> ./chkrootkit and it will run its checks telling you what it finds -
> hopefully it finds nothing and you will need to look elsewhere as to why
> your users are getting this message.
> 
> for security now that you have chkrootkit on the server it would be nice to
> run it every day and email the results to you just drop a small shell script
> into /etc/cron.daily to run the chkrootkit in /home/tools/chkrootkit and put
> the |mail at the end.
> 
> Hope this helps
> 
> While your at it  would be wise to look at installing logcheck or tripwire
> as well.
> 
> Regards
> 
> Gavin
> 
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users