An unauthorized program, place place by a malicious user, has been found on at least on of the machines in the univerisy. This document will provide:
2. The threat
As indicated above, this program raises a big threat both for the local machines and for other machines accessable from the network. Any files one the infected machine may be read or modified. The attacker may also watch any local network traffic and thereby getting passwords or other information. As a platform for a DoS attack, the infected computer may affect the operation of other computers on the network. This may also have an adverse affect on the local network resources.
It is possible to tell if the program is running on your machine using the netstat command. Execute netstat --raw -na and look for a line listing a raw socket with a local address of 0.0.0.0:11 as shown below. The example is of an infected machine. If you find that your machine is infected, stop using it and notify the technical department immediately. If that line does not appear in the output then the program is not currently running. Beware that you machine may still contain the program even if it is not running.
infected$ netstat --raw -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
raw 0 0 0.0.0.0:11 0.0.0.0:* 7
Normal security precautions should be taken to avoid executing this program. Don't use easily guessed passwords, keep the machine locked when you are not at it, and so. This will go a long way toward keeping the program off of the computer in the first. Also do not use root or su any more than you absolutely have to. And when you do, make sure you know what executables your running