Linux desktop Trojan 'Hand of Thief'

For discussions about security.
Post Reply
Message
Author
musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#16 Post by musher0 »

Hi, 8-bit.

Glad to see that lsof is included in Slacko.

To see the connections (open lines) specifically, type

Code: Select all

lsof -i -n
Normally, you should have two open connections for cups ("printer"
connection), plus the urls matching the open tabs in your browser, plus some for any real printer. (The latter to be checked.)

Any additional ones do not belong. But careful here, opera, for example, needs 4 open connections to work correctly, even when idle. May be the
same for Firefox, SeaMonkey, etc. (The latter to be checked.)

lsof -i -n -t
will give you only the process numbers of the connections.
-t stands for "terse". (Indeed!)

So if you find something fishy in the lsof connections listing, you may want to type
kill <process_number> (without the arrows)

Retype lsof -i -n to see if anything happened.
If nothing happened in the listing, and you know one connection is
suspicious, shutdown with the computer button. (I know, this sounds
paranoid on a Linux machine, but better be safe than sorry.)

Upon reboot, the offending connection should be gone, computer pirates
have no patience.

Typing
lsof
only will list all the open files on your system, not only the
programs but the libs they rely on. So that's a long list. No
surprise: lsof stands for "list open files".

lsof -h will list all lsof possibilities.

I hope this helps a bit in explaining how to work with this utility.

musher0
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

Post Reply