port 20012 fun

Christos Ricudis ricudis at komodino.itc.auth.gr
Thu Oct 6 10:29:37 EEST 2005 

Antonios Christofides wrote:

>Ξανά, πιο συγκεκριμένα:
>
>anthony at voltaire:~$ grep vboxd /etc/services
>vboxd           20012/tcp                       # voice box system
>vboxd           20012/udp
>anthony at voltaire:~$ grep vboxd /etc/inetd.conf
>vboxd   stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/vboxd
>anthony at voltaire:~$ telnet localhost 20012
>Trying 127.0.0.1...
>Connected to voltaire.
>Escape character is '^]'.
>
>(και ενόσω το παραπάνω τρέχει)
>
>anthony at voltaire:~$ sudo netstat -p|head -n 4
>Active Internet connections (w/o servers)
>Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
>tcp        0      0 voltaire:vboxd          voltaire:39240          TIME_WAIT  - 
>tcp        0      0 voltaire:vboxd          voltaire:39241          ESTABLISHED22736/vboxd
>anthony at voltaire:~$ ps l 22736
>F   UID   PID  PPID PRI  NI   VSZ  RSS WCHAN  STAT TTY        TIME COMMAND
>4     0 22736  1186  16   0  1656  676 -      S    ?          0:00 /usr/sbin/vboxd
>anthony at voltaire:~$ ls /usr/sbin/vboxd
>ls: /usr/sbin/vboxd: No such file or directory
>  
>
Poly wraia, TWRA arxise na ginetai anhshxytiko to pragma kai myrizei 
rootkit. S'ayth thn periptwsh, to poso 8a dyskoleyteis na to 
diapistwseis eksartatai apo to poso kalo einai to rootkit.

Sto /proc/22736 8a deis diafora xrhsima gia to process pou trexei. To 
exe einai linked sto running executable, aneksarthtws tou ti leei h ps 
(to ti leei h ps mporei na to allaksei aneta to process peirazontas to 
argv[0] tou). sto /proc/PID/fd 8a breis epishs tous open file 
descriptors tou.

Xrhsimes entoles gia na briskete rootkits :

du / | grep " "
du / | grep "/\\."

Eksetaste o,ti sas fainetai periergo.

Xrhsimopoioume thn du anti gia thn find giati synh8ws h find einai 
peiragmenh, enw spaniws exw brei rootkit me modified du. Kane ki ena ls 
-l to find to bin kai to ps kai sygkrine ta mege8h tous me kapoio allo 
identical linux distribution, h kalytera antegrapse kainouria pou 
ksereis oti douleyoun swsta.

Kapou kykloforousan kai kati rootkits me special kernel modules pou ta 
ekanan pio aorata ki apo to azax.



-- 
Christos Ricudis				ricudis at itc.auth.gr
Systems Administrator				+30-2310-998656
IT Support Center
Aristotle University of Thessaloniki, GREECE

More information about the Linux-greek-users mailing list