[PLUG] Think I've been hacked

Mel Andres mel97215 at comcast.net
Tue Jan 25 01:56:28 UTC 2005 

Mel Andres wrote:

> A few days ago I noticed Yahoo instant messenger started behaving 
> strange. I attempted to fix that by removing  and re-installing it, 
> which didn't resolve my problem. Today, I ran chkrootkit, and this 
> disturbing line was in the output:
>
> Checking `bindshell'... INFECTED (PORTS:  600)
>
> I decided to run chkrootkit because of some interesting things from  
> "netstat -tanp |more", which had been mentioned in another post. I 
> wish that I had scripted to a file, so that I could post that output 
> now. I have since killed a couple of suspicious processes, so the 
> output doesn't have anything all that interesting anymore.  So, what 
> should I do next, to ensure I closed this up and cleaned house?
>
>  Mel
>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>PLUG mailing list
>PLUG at lists.pdxlinux.org
>http://lists.pdxlinux.org/mailman/listinfo/plug
>  
>
Okay, I believe the bindshell probably is a false positive. One of the 
processes I killed off was fam, as I could think of no reason 
(application) for it to be running. And there was the peculiar change in 
the Yahoo messenger display, which is yet to be resolved. I've checked 
that I can still perform my job duties without firing up their WinXP 
laptop, so I think I am okay for the short term.  I know enough to be a 
little more than dangerous, but not enough to ease my mind about 
manually checking everything.

So, I think I'll want to reload the OS. I sliced up hda into thirds, 
(WinXP, Suse, future use) and have been planning to take a stab at 
installing debian on the remaining portion. That way I could mount my 
current linux filesystem, and copy over my email, and other personal 
stuff. Once comfortable with debian, and confident I won't need the suse 
filesystem, I'll blow it away and save it for the next upgrade/project. 
I also have been wanting to get the laptop wireless, but that means 
buying a wireless router too, or what's the point when I work from home? 
So, I'll probably get the Linksys WRT54G. I should gain a layer of 
security, and my linux box won't have to do IP forwarding anymore. I'll 
probably opt for a PCMCIA wireless card for the laptop, because I expect 
there will be more linux support for that.  And, that will be the next 
thing, setting up the employer's WinXP laptop to dual boot to linux.

Mel

More information about the PLUG mailing list