Port 6667 - kids brought something home from school


  • Banned

    Hi!

    Apparently one of the kids brought home some linux trojan on his school notebook, I found info on

    yoyo

    Trinity

    in this database

    http://www.simovits.com/trojans/trojans.html

    Any advice what to do besides reinstalling the OS completely (to be done over weekend…)?

    Kind regards

    chemlud
    [ma port 6667.jpg](/public/imported_attachments/1/ma port 6667.jpg)



  • I have no suggestions for how to clean it, but I am curious what detected it.  Did Snort or Suricata fire an alert, or did you see unusual activity in the firewall log (or maybe both)?

    Bill



  • @2chemlud:

    Hi!

    Apparently one of the kids brought home some linux trojan on his school notebook, I found info on

    yoyo

    Trinity

    in this database

    http://www.simovits.com/trojans/trojans.html

    Any advice what to do besides reinstalling the OS completely (to be done over weekend…)?

    Kind regards

    chemlud

    Are you sure they have a virus?

    They could just be chatting on IRC. IRC commonly connects on TCP ports 6660-6669, with 6667 being the most common.



  • When I see the words linux and virus or linux and trojan in the same sentence, my first thought is "false positive"…

    Of course, it can be done...  It just takes work on the part of the linux user to install the bug.

    Is it a WINE compatible windows thing maybe?  Or just nothing?


  • LAYER 8 Netgate

    IRC is also commonly used by bad things for command and control.


  • Banned

    Dear all!

    Many thanks for replies! Snort detected it. Nothing in the firewall logs. Today, the same thing, but only one IP blocked by Snort, but three others (TCP-s) blocked by standard block rule in firewall…

    I learned that there are some programmers and game IRC channels booked on this notebook... :-)

    Kids are always a surprise, every day again...

    Kind regards for your input!

    chemlud

    PS: No wine on this device... :-)


  • Banned

    PPS:

    Wanted to have a look at the firewall logs, but apparently size is fixed to 500 kB, and the log was filled with nonsense "allow multicast" messages (IGMP 224.0.0.22 and stuff like that, no rule indicated why this nonsense is logged…), so that all relevant info from yesterday is gone.

    I tried to find the place where I can increase the log-size, but without success... Any suggestion where to increase the size of the log files?

    Many thanx in advance!

    chemlud...

    Found it! Increased log size, but it still logs this 224.0.0.22 IGMP although I have for more than a year now an "allow" rule for that without (!) logging (to stop flooding the logs), but pfSense simply doesn't care and logs this traffic anyway. Don't know what to do with that....

    PPPS: Erased the allow rule for IGMP from LAN to 224.0.0.22 and set it up newly, but again this traffic was in the log file. Switched to "block" and now it subsided... Strange....


Log in to reply