[plug] Finding a possible trojan/exploit?

Bernd Felsche bernie at innovative.iinet.net.au
Sat Jan 20 09:49:47 WST 2007

Steve Baker <steve at iinet.net.au> writes:

>So I force the server to relay through the ISP instead of going direct.  
>I turn on some packet logging and later today I find an outbound mail 
>connection going direct to a 3rd party mail server and NOT through the 
>ISP relayhost.  Interesting.  There is no mention of this email in the 
>postfix logs - obviously wasn't sent via postfix.

If you can detect an active connection, then you can use lsof to
idetify the process ID; and from that process ID, the executable
and other "files" open by that process. It may even identify the IP
of the remote control being used as well as the listen ports of a
bot, should they be open.

e.g. # lsof -i :25
will list all processes on the local host that have a port 25 (smtp)
open to anywhere.

If the system is forwarding from within the kernel (e.g. IP
forwarding), then lsof will not show a process.
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ /  ASCII ribbon campaign | "If we let things terrify us,
 X   against HTML mail     |  life will not be worth living."
/ \  and postings          | Lucius Annaeus Seneca, c. 4BC - 65AD.

More information about the plug mailing list