Saleh: No, Redhat9 has kernel 2.4.20-8 Abdallah: Thanks for your reply .. I checked the processes running, everything seems ok now, the process which established the connection was httpd, I already removed it since we don't need it. The connection to the remote dest (on port 6667) is gone, and I already rebooted the server - lost the 9 weeks uptime :-s -. But will keep an eye on it.
Abdallah wrote: > Salam Issam > > Yes. anytime you see a process you did not create connecting to a > remote host, specially IRC ports, then you can be certain it is a > trojan of some sort. > > netstat -tapn or netstat -tap will show you a list of what is > connecting where. Follow the suspicious processes with lsof -n -i to > see where the culprit is hiding. > > Be careful how you remove it. A simple process kill or binary > removal may result in a bad counter measures from the trojan. Like > deleting your /var > > Be very careful. > > Once you identify your trojan binaries and how they are starting then > you better shutdown. Reboot with a rescue disk .. Mount your hard disk > . Remove binaries and startup scripts. > > restart normally. On a RH9 I would Update your ssh server and clients. > Change all of your user passwords. Setup a firewall.. Close everything > going out. > > Then and only then you get it online again. > > Or, you can format and reinstall a newer distro. :P > > Abdallah --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Jolug" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups-beta.google.com/group/Jolug?hl=en-GB -~----------~----~----~----~------~----~------~--~---
