[PLUG] Think I've been hacked

Stafford A. Rau srau at rauhaus.org
Tue Jan 25 00:20:16 UTC 2005


* Mel Andres <mel97215 at comcast.net> [050124 14:41]:
> A few days ago I noticed Yahoo instant messenger started behaving 
> strange. I attempted to fix that by removing  and re-installing it, 
> which didn't resolve my problem. Today, I ran chkrootkit, and this 
> disturbing line was in the output:
> 
> Checking `bindshell'... INFECTED (PORTS:  600)

Do you have the lsof utility? If so, what does "lsof -i :600" tell you?
If it shows a process id (pid) for whatever is bound to port 600, then
you can do a "ps -fp (PID)" - replace (PID) with the actual process id
you're looking for.

Granted, if you really are compromised, then certainly ps will have been
trojaned, and possibly also lsof. However, this method might turn up
something that would suggest you just have a false positive from
chkrootkit.

--Stafford




More information about the PLUG mailing list