Page 1 of 1

Security issue!

Posted: Mon Oct 30, 2006 20:50
by No.2
My fire wall firestarter says I have cheese worm trying to talk on 10008 yet I can't find any sign of it; no /tmp.cheese and a clean sweep with KlamAV of the whole system.

I just had aMule start by its self with my whole / dir shared! It crashed every time I tried to change that.

Should I be worried?

Posted: Tue Oct 31, 2006 0:39
by arjay
Well, I wouldn't like it, especially given your aMule situation. It was supposedly an attempt to close a port opened by the Linux.lion.worm and wasn't considered harmful when first released years ago. I'd try to find and remove:


Take a look at your /etc/inetd.conf to see if it's been modified too. You sound like you're aware of it, so I may not be telling you anything you don't already know.

I'd also emerge and run rkhunter, just cuz it's a good idea.

Code: Select all

emerge -v rkhunter
Run that regularly if you don't already. I've never had a problem with the cheese.worm myself, and am basically trying to remember the discussions and solutions I heard. Maybe someone else actually had to deal with it and can offer more information. Good-luck!

Posted: Tue Oct 31, 2006 0:49
by No.2
Thanks for the reply.

Ran rkhunter and chkrootkit and nothing I have xinetd.conf so cheese wouldn't have modded that. Makes me think it is a false id by the firewall. It is trying to use 10008 though...

Still scratching my head re aMule reinstalled it and not happened since...

Posted: Tue Oct 31, 2006 1:01
by arjay
You're right...very strange. It may be something with firestarter, but I haven't received any complaints from fs. Will check the log and if I see anything, I'll get back. G'luck!

Posted: Tue Oct 31, 2006 1:12
by cvill64
very odd, could have been a corrupted build and the way it was asking was flagged as suspicious as an virus must have root access to do any damage