Page 1 of 1
Posted: Mon Oct 30, 2006 20:50
My fire wall firestarter says I have cheese worm trying to talk on 10008 yet I can't find any sign of it; no /tmp.cheese and a clean sweep with KlamAV of the whole system.
I just had aMule start by its self with my whole / dir shared! It crashed every time I tried to change that.
Should I be worried?
Posted: Tue Oct 31, 2006 0:39
Well, I wouldn't like it, especially given your aMule situation. It was supposedly an attempt to close a port opened by the Linux.lion.worm and wasn't considered harmful when first released years ago. I'd try to find and remove:
Take a look at your /etc/inetd.conf to see if it's been modified too. You sound like you're aware of it, so I may not be telling you anything you don't already know.
I'd also emerge and run rkhunter, just cuz it's a good idea.
Run that regularly if you don't already. I've never had a problem with the cheese.worm myself, and am basically trying to remember the discussions and solutions I heard. Maybe someone else actually had to deal with it and can offer more information. Good-luck!
Posted: Tue Oct 31, 2006 0:49
Thanks for the reply.
Ran rkhunter and chkrootkit and nothing I have xinetd.conf so cheese wouldn't have modded that. Makes me think it is a false id by the firewall. It is trying to use 10008 though...
Still scratching my head re aMule reinstalled it and not happened since...
Posted: Tue Oct 31, 2006 1:01
You're right...very strange. It may be something with firestarter, but I haven't received any complaints from fs. Will check the log and if I see anything, I'll get back. G'luck!
Posted: Tue Oct 31, 2006 1:12
very odd, could have been a corrupted build and the way it was asking was flagged as suspicious as an virus must have root access to do any damage