[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] trojan possibly found - how do you delete them ?

Subject: Re: [cobalt-users] trojan possibly found - how do you delete them ?
From: "Ted" <ted@xxxxxxxxxxxxxxx>
Date: Mon Oct 27 03:50:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

would not radius show as a worm as well since it accepts incoming
connections ?
How does one uninstall a pkg ?

----- Original Message ----- 
From: "Zeffie" <cobaltlist@xxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, October 27, 2003 1:30 AM
Subject: Re: [cobalt-users] trojan possibly found - how do you delete them ?


> > > Checking `lkm'... You have     1 process hidden for readdir command
> > > You have     1 process hidden for ps command
> > > Warning: Possible LKM Trojan installed
> > > found this at the post install run of chkrootkit for cobalt's.
> > > any ideas?
>
> it's might be nothing...
>
> > Alot of LKM trojans (such as Suckit) will replace init with a modified
> > version that inserts the trojan code upon startup. Once the trojan has
> > been loaded, the system is started normally, and the trojan code hides
the
> > trojaned init binary. This fools RPM datbases and many of the rootkit
> > detectors, because it doesn't see that the binary has changed (it is
still
> > looking at the original 'init' binary).
>
> > The only real way to check for / eradicate these types of viruses is to
> > remove the drive and attach it to a PC. Then, boot that PC under Knoppix
> > or some other CD based recovery distribution, mount the drive and look
for
> > trojaned binaries.
>
> not so.. in fact I do it all the time...  In some cases you can use that
> same init bin to unhide and unload the mess which is a good start to
> cleaning it up...  I have a raq3 I'm monitoring now since it got
trashed...
> it had like 3 hacks in on it and it was flooding, it had a sniffer
running,
> and everything was dying...  I just cleaned out everything and it's
holding
> strong...
> (and I killed the php nuke that had holes... )
>
> I have done this so many times now I have a flat rate :)
>
> Zeffie
> 734-454-9117
> http://www.zeffie.com/
> Home of Worlds Largest collection of RaQ rpms
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>

References:
- Re: [cobalt-users] trojan possibly found - how do you delete them ?
  - From: Greg Boehnlein
- Re: [cobalt-users] trojan possibly found - how do you delete them ?
  - From: Zeffie

Prev by Date: [cobalt-users] MySQL not starting on Raq550
Next by Date: Re: [cobalt-users] Re: VBScript 5.1 Error
Previous by thread: Re: [cobalt-users] trojan possibly found - how do you delete them ?
Next by thread: Re: [cobalt-users] trojan possibly found - how do you delete them ?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index