No Alex, you're not missing anything. The OS may be WinXP but it's not that difficult for a malware to install say part of cygwin and run it as a service, if the user enjoys connecting to the Internet while logged in as an administrator. If the OP has installed say OpenSSH the Linux fs is there already.
To resolve this could be as simple as removing the Linux fs from the machine and taking half a day cleaning manually the registry. On the other hand it may be easier to just reinstall, lock down the different ports (135-139, 445) and unnecessary services that are opened by default on WinXP, set strong passwords for all including Guest account (before disabling it) and thereafter only logging on as Administrator to install software or run Windows Updates. I've been running a machine with WinXP Pro for more than 6 years without a reinstall, infection or your usual malware problems on this basis. Bear in mind that your average WinXP Home user out there has not even set a password on their Administrator account there's no surprise that all sort of nasties can happen when the PC is networked. Also, instead of running VNC server listening for connections on the Internet where it can be subject to http://www.vncscan.com and dictionary attacks, it is better to only listen on loopback and use something like copSSH or OpenSHH to build a ssh tunnel with secure key authentication. If you can lock down the WinXP firewall to only allow connections from specific IP addresses and move the ssh connection to another port than the default port 22 then even better. A quick scan with nmap from another machine or from grc.com, PC Flank, or sygate, should show all ports are closed/stealthed. Just my 2c's. HTH. On Friday 03 November 2006 19:27, Alex Pelts wrote: > I am not sure on that as he noted that his system is XP, although I > could miss something. > > Regards, > Alex > > Mick wrote: > > This appears to be Linux trojan: > > > > http://www.symantec.com/security_response/writeup.jsp?docid=2005-032316-4 > >307-99&tabid=1 > > > > Given the types of directorates it creates you must have been running X > > or other applications as a root and you allowed it to install, or run > > some unchecked binary. If this were my system I would *definitely* > > reinstall, after using shred on the partitions. > > > > Good luck. > > > > On Friday 03 November 2006 18:35, Alex Pelts wrote: > >> This is possibly some spyware or trojan which hides its process from > >> process manager. You can try to use tools from sysinternals.com to > >> discover this process. Also run updated anti-virus software to check if > >> there is any virus. > >> When you run anti-virus disable windows restore because if the file is > >> in one of the windows directories it will be restored right back. You > >> should have your hand full with this one. Don't let is slide though > >> because it may be some key logger of some zombie software. > >> > >> > >> Alex > >> > >> danidani wrote: > >>> PID is 1576 but it doesn't correspond to any PID that is listed in the > >>> Task Manager > >>> > >>> quite strange isn't it?! > >>> > >>> > >>> > >>> > >>> On 11/3/06, *Alex Pelts* < [EMAIL PROTECTED] > >>> <mailto:[EMAIL PROTECTED]>> wrote: > >>> > >>> Under win xp you can run "netstat -a -o". That will give you pid of > >>> process which owns each connection. From there you can run task > >>> manager and find out who opened that connection. On unix there is a > >>> similar facility although switches are different and you need to be > >>> root to do it. > >>> > >>> Regards, > >>> Alex > >>> > >>> danidani wrote: > >>> > GREAT, it works with this trick!! > >>> > > >>> > Now the question is... which program is using port 5900??! > >>> > > >>> > > >>> > > >>> > > >>> > On 11/3/06, John Aldrich < [EMAIL PROTECTED] > >>> > >>> <mailto:[EMAIL PROTECTED]>> wrote: > >>> >> On Friday 03 November 2006 10:50, danidani wrote: > >>> >>> Doing telnet ipaddress 5900 I obtain: > >>> >>> : [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > >>> > >>> NOTICE * :psyBNC2.3.1 > >>> > >>> >>> running telnet ipaddress 5907 I get > >>> >>> > >>> >>> RFB 003.008 > >>> >>> > >>> >>> and that is correct because I changed the port on the vnc > >>> >>> server > >>> >>> > >>> >>> > >>> >>> Anyway I don't get access yet. > >>> >> > >>> >> Try adding :7 to the name or IP address of the PC you're > >>> > >>> attempting to > >>> > >>> >> connect > >>> >> to from remote. Or you can put ::5907 after the name/ip address > >>> > >>> of the PC. > >>> > >>> >> John > >>> >> _______________________________________________ > >>> >> VNC-List mailing list > >>> >> [email protected] <mailto:[email protected]> > >>> >> To remove yourself from the list visit: > >>> >> http://www.realvnc.com/mailman/listinfo/vnc-list > >>> > >>> -- > >>> skype: danieleda > >>> msn: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > >> > >> _______________________________________________ > >> VNC-List mailing list > >> [email protected] > >> To remove yourself from the list visit: > >> http://www.realvnc.com/mailman/listinfo/vnc-list -- Regards, Mick _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
