[PLUG] .bugtrac: what is that?

Stafford A. Rau srau at rauhaus.org
Fri Sep 13 16:47:27 UTC 2002


* Jon Jacob <jon at manymoons.net> [020913 09:20]:
> No, I don't.  The logs don't immediately show anything, but I am not
> sure what to look for.
> 
> I have an IPChains firewall up, but of course port 80 is open for the
> web server.

Some of the things you might want to do:

Do an "lsof -i" as root, and save the output. This will tell you what
processes are bound to which tcp & udp ports. See if those bugtrac
processes are actually listening to any ports.

Do a "find /dev -type f -print" to see if there are any regular files
(with the possible exception of a MAKEDEV script) that shouldn't be
under /dev.

If you have something like a distribution install cd, put it in and mount it,
and use the executables from it rather than ones that might have been
trojaned on your machine.

Do a "ps aux" with your possibly suspect installed version of ps, and
then do an "ls /proc". Compare the pids from your ps with the ones in
/proc. There will be a couple different ones, as the pid of your ps and
of your ls will be different, but any others that are missing from the
"ps" but are in /proc will tell you that your ps command is trojaned.

Run nmap from a different machine, or have someone do it for you, and
do a full port scan of your machine.

I'm not saying that you've definitely been rooted, as it may be that
those bugtrac processes are just a red herring and belong to a
legitimate package. I wish I hadn't deleted the mailing list post that
I'm recalling, but it would probably have been from one of the
securityfocus.com mailing lists.

--Stafford




More information about the PLUG mailing list