Okay, so I am having problems with a Fedora Core 14 Linux machine. I inherited it recently from my late brother and while he was a Linux GOD, I am merely a mortal. I know something, somewhat about Linux from my days as a contributing editor at Newsforge (talk about embarrassing, asking this when I used to WRITE about Linux), but I do not know enough to solve this problem.
Anyway, I have traffic captures that look exactly, I mean EXACTLY like the dns-remoteshell.pcap (from the wireshark wiki under viruses and worms), but I don't know what to do NOW. Added bonus, my ISP is Hughesnet and I am getting slammed for going over their arbitrary and VERY low traffic caps. It's drive me WILD. I've been working on this for four days now and finding the pcap was a big breakthrough, but I don't know how to get rid of the worm(?), fix the problem or make this computer work right again. I am beginning to think that my best bet might be to wipe Fedora 14 and use freaking Windows which at least I understand. How is THAT for frustrated, PLEASE will someone trade me for a Mac!
Can someone help me, please!
UPDATE: whoops! neglected to mention that I've run a full scan with ClamAV with up to date signatures. And this seems to infect more than one user account.
asked 10 Aug '11, 06:39
edited 10 Aug '11, 06:42
The file dns-remoteshell.pcap shows packets to an infected Windows XP system where a remote shell seems to be enabled on the TCP DNS port (and also on the TELNET and HTTP ports for that matter). In which way does you captured traffic look "exactly" the same?
What does ClamAV tell you? Which files seem to be infected and what kind of infections does it report? That would be your starting point in searching for a cure.
This Q&A site might be able to help you analyze your traffic, but for cleaning the box, you are better of at other more linux orientated sites. You might want to try http://superuser.com/ or http://serverfault.com/
answered 10 Aug '11, 09:28