| View previous topic :: View next topic |
| Author |
Message |
flarius
n00b
Joined: 11 Mar 2003
Posts: 14
|
 Posted: Tue Apr 19, 2005 1:10 pm Post subject: trojan alert? |
 |
|
Hello gentoo-users,
please help me. I don´t know what happens here!
After typing:
$netstat | grep local
i got a connection to
manganese.bos.dyndns.org
but i haven´t init any connection manually. Thats the problem!
The connection is startup when i start my dhcpcd daemon.
My AntiVir-Program found a java based trojan and i haved killed him.
I used mozilla-firefox-1.0.2, gentoo-2005.0, kernel 2.6.11
For what is standing for this network connection?
I`m under attack by trojan? How can i removed this connection? |
|
| Back to top |
|
 |
mekong
Tux's lil' helper
Joined: 23 Apr 2004
Posts: 93
Location: Rdam - NL - EU
|
| Posted: Tue Apr 19, 2005 1:30 pm Post subject: |
|
|
| If you use "netstat -p", you could see the pid of the process which start the connection. |
|
| Back to top |
|
|
flarius
n00b
Joined: 11 Mar 2003
Posts: 14
|
| Posted: Tue Apr 19, 2005 3:07 pm Post subject: |
|
|
$netstat -pe
shows this:
tcp 0 0 localhost:40869 manganese.bos.dynd:smtp TIME_WAIT root 0 -
i got no pid - any ideas to kill this process?
I wondering because under the domain "manganese.bos.dyndns.org" is working an dyndns administator.
He is writing messages in mailgroups. But i not working with an exists dyndns account.
Is there still hope for me? |
|
| Back to top |
|
|
mekong
Tux's lil' helper
Joined: 23 Apr 2004
Posts: 93
Location: Rdam - NL - EU
|
| Posted: Tue Apr 19, 2005 4:05 pm Post subject: |
|
|
smtp is port 25 for sending mail, how do you know he is admin writting message in mailgroups?  Are you on the same mailgroup? Probably harmless, you're sending him email |
|
| Back to top |
|
|
flarius
n00b
Joined: 11 Mar 2003
Posts: 14
|
| Posted: Tue Apr 19, 2005 4:22 pm Post subject: |
|
|
hi,
this information i found at
https://forums.gentoo.org/viewtopic-t-189980-highlight-manganese.html
and by google the web...
but i still haven't any idea what happens here...
the connection is always starting and ending together with my cron daemon. when i kill him, the connection died. when i start cron daemon then the connection start up too. i watch that the localports are dynamically grow up to connect the server outside...
i still thinking it's a spyware-program (?) |
|
| Back to top |
|
|
mekong
Tux's lil' helper
Joined: 23 Apr 2004
Posts: 93
Location: Rdam - NL - EU
|
| Posted: Tue Apr 19, 2005 4:44 pm Post subject: |
|
|
| Okay, this is a serious problem, you cron daemon is trying to sending email to dyndns email server, because you misconfigure your cron daemon. When a cron job exists with an error it will try to send an email to the root user. Check your cron daemon configuration again. And maybe your server's domain name too. Maybe you chose one happen to be one of dyndns domains (homelinux.com perhaps? from your link). If you don't have a full qualified domainname, choose something like myserver.localdomain, make sure it's a non-existant domain. |
|
| Back to top |
|
|
flarius
n00b
Joined: 11 Mar 2003
Posts: 14
|
| Posted: Tue Apr 19, 2005 4:55 pm Post subject: |
|
|
@ mekong
that is a good message!
i will try to setup the configuration correctly...
thank you for your support ! cu ! |
|
| Back to top |
|
|
|
Networking & Security
