[PLUG] Think I've been hacked
Mel Andres
mel97215 at comcast.net
Tue Jan 25 01:56:28 UTC 2005
Mel Andres wrote:
> A few days ago I noticed Yahoo instant messenger started behaving
> strange. I attempted to fix that by removing and re-installing it,
> which didn't resolve my problem. Today, I ran chkrootkit, and this
> disturbing line was in the output:
>
> Checking `bindshell'... INFECTED (PORTS: 600)
>
> I decided to run chkrootkit because of some interesting things from
> "netstat -tanp |more", which had been mentioned in another post. I
> wish that I had scripted to a file, so that I could post that output
> now. I have since killed a couple of suspicious processes, so the
> output doesn't have anything all that interesting anymore. So, what
> should I do next, to ensure I closed this up and cleaned house?
>
> Mel
>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>PLUG mailing list
>PLUG at lists.pdxlinux.org
>http://lists.pdxlinux.org/mailman/listinfo/plug
>
>
Okay, I believe the bindshell probably is a false positive. One of the
processes I killed off was fam, as I could think of no reason
(application) for it to be running. And there was the peculiar change in
the Yahoo messenger display, which is yet to be resolved. I've checked
that I can still perform my job duties without firing up their WinXP
laptop, so I think I am okay for the short term. I know enough to be a
little more than dangerous, but not enough to ease my mind about
manually checking everything.
So, I think I'll want to reload the OS. I sliced up hda into thirds,
(WinXP, Suse, future use) and have been planning to take a stab at
installing debian on the remaining portion. That way I could mount my
current linux filesystem, and copy over my email, and other personal
stuff. Once comfortable with debian, and confident I won't need the suse
filesystem, I'll blow it away and save it for the next upgrade/project.
I also have been wanting to get the laptop wireless, but that means
buying a wireless router too, or what's the point when I work from home?
So, I'll probably get the Linksys WRT54G. I should gain a layer of
security, and my linux box won't have to do IP forwarding anymore. I'll
probably opt for a PCMCIA wireless card for the laptop, because I expect
there will be more linux support for that. And, that will be the next
thing, setting up the employer's WinXP laptop to dual boot to linux.
Mel
More information about the PLUG
mailing list