From: Serdar ŞANAL (serdar@istas.com.tr)
Date: Wed 11 Feb 2004 - 02:47:13 EST
=20
Selamlar;
Bende chkrootkit ile sistemimi taratt=FD=F0=FDmda :
`bindshell'... INFECTED (PORTS: 600) gibi bir cikti aldim. Netstat ile
baktigimda udp 600 portunun acik oldugunu gordum.=20
lsof -i |grep -i 600 ciktisi :
rpc.statd 2544 rpcuser 5u IPv4 2384 UDP *:600
Seklinde. Kill komutu ile prosesi sonlandirdim ve tekrar chkrootkit ile
taradim. Uyari mesajini artik vermiyor. Bundan sonra ne yapmam gerekir.
Bilgi verebilirseniz sevinirim.=20
=09
Tesekkurler.
Not : Asagidaki satirlarda da bir sorun var mi?
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
/usr/lib/httpd/modules/httpd-2.0.48/os/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/test/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/.deps
/usr/lib/httpd/modules/httpd-2.0.48/.gdbinit
/usr/lib/httpd/modules/httpd-2.0.48/support/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/aaa/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/echo/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/http/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/test/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/metadata/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/cache/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/proxy/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/mappers/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/loggers/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/filters/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/experimental/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/modules/generators/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/server/.indent.pro
/usr/lib/httpd/modules/httpd-2.0.48/include/.indent.pro
/usr/lib/openoffice/share/gnome/net/.directory
/usr/lib/openoffice/share/gnome/net/.order
/usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.directory
/usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.order
/usr/lib/qt-3.1/etc/settings/.qtrc.lock
/usr/lib/qt-3.1/etc/settings/.qt_plugins_3.1rc.lock
Checking `sniffer'... eth0: PF_PACKET(/usr/sbin/dhcpd)
Checking `z2'... nothing deleted
Not : Bu e-posta Istas Bilgi Islem Merkezi tarafindan VirusBuster AV yazilimi ile virus taramasindan gecirilmistir.