On Wed, 6 Apr 2005 08:16:14 +1000 (EST) "Voytek" <[EMAIL PROTECTED]> wrote:
> I have a compromised RH73 machine, until such time as I can pull it down, > what can I do to identify and shut down any rogue processes/backdoors ? > > BDC scan identified: > ---- > BDC/Linux-Console v7.0 (build 2492) (i386) (Dec 11 2003 13:24:00) > Copyright (C) 1996-2003 SOFTWIN SRL. All rights reserved. > > /var/tmp/mremap_pte infected: Linux.OSF.8759 > ...(several more) > /var/tmp/tlsd.pl infected: Backdoor.Perl.Termapp.A > ... > * packed with (Upx) > * packed with (ExePack 3.69) > * packed with (ExePack 3.69) > ---- > > additionally, there was baddies in and below /tmp > > I've removed all the baddies, All? How do you know? How do you know that the attacker hasn't installed a kernel module or replaced libc? > but, I expect there will be some open ports ? > is there a way to shut them in the interim period till I can get to the > machine ? The best way would be to put a firewall between the compromised machine and the internet and then block all suspicious port. A network sniffer like ethereal (run from a known good machine) should tell you what is suspicious. Erik -- +-----------------------------------------------------------+ Erik de Castro Lopo [EMAIL PROTECTED] (Yes it's valid) +-----------------------------------------------------------+ "Who would have believed that reading and writing would pay off?" -- Homer Simpson -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
