This appears to be Linux trojan: http://www.symantec.com/security_response/writeup.jsp?docid=2005-032316-4307-99&tabid=1
Given the types of directorates it creates you must have been running X or other applications as a root and you allowed it to install, or run some unchecked binary. If this were my system I would *definitely* reinstall, after using shred on the partitions. Good luck. On Friday 03 November 2006 18:35, Alex Pelts wrote: > This is possibly some spyware or trojan which hides its process from > process manager. You can try to use tools from sysinternals.com to > discover this process. Also run updated anti-virus software to check if > there is any virus. > When you run anti-virus disable windows restore because if the file is > in one of the windows directories it will be restored right back. You > should have your hand full with this one. Don't let is slide though > because it may be some key logger of some zombie software. > > > Alex > > danidani wrote: > > PID is 1576 but it doesn't correspond to any PID that is listed in the > > Task Manager > > > > quite strange isn't it?! > > > > > > > > > > On 11/3/06, *Alex Pelts* < [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > Under win xp you can run "netstat -a -o". That will give you pid of > > process which owns each connection. From there you can run task > > manager and find out who opened that connection. On unix there is a > > similar facility although switches are different and you need to be root > > to do it. > > > > Regards, > > Alex > > > > danidani wrote: > > > GREAT, it works with this trick!! > > > > > > Now the question is... which program is using port 5900??! > > > > > > > > > > > > > > > On 11/3/06, John Aldrich < [EMAIL PROTECTED] > > > > <mailto:[EMAIL PROTECTED]>> wrote: > > >> On Friday 03 November 2006 10:50, danidani wrote: > > >>> Doing telnet ipaddress 5900 I obtain: > > >>> : [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > NOTICE * :psyBNC2.3.1 > > > > >>> running telnet ipaddress 5907 I get > > >>> > > >>> RFB 003.008 > > >>> > > >>> and that is correct because I changed the port on the vnc server > > >>> > > >>> > > >>> Anyway I don't get access yet. > > >> > > >> Try adding :7 to the name or IP address of the PC you're > > > > attempting to > > > > >> connect > > >> to from remote. Or you can put ::5907 after the name/ip address > > > > of the PC. > > > > >> John > > >> _______________________________________________ > > >> VNC-List mailing list > > >> VNC-List@realvnc.com <mailto:VNC-List@realvnc.com> > > >> To remove yourself from the list visit: > > >> http://www.realvnc.com/mailman/listinfo/vnc-list > > > > -- > > skype: danieleda > > msn: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > _______________________________________________ > VNC-List mailing list > VNC-List@realvnc.com > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list -- Regards, Mick _______________________________________________ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
