3. List the PID(s) of the process(es) that had a suspect port(s) open (i.e. non Red Hat 7.2 default ports).

EVEN with the trojaned 'ps' command on the box it was still possible to see the following processes:

root 25239 0.0 0.3 1880 336 ? S 15:32 0:00 /lib/.x/s/xopen -q -p
root 25241 0.0 0.7 1888 672 ? S 15:32 0:00 /lib/.x/s/xopen -q -p

Anyway, to get the picture complete, here is a:

netstat -ap (trusted netstat binary)

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:netbios-ssn *:* LISTEN 845/smbd
tcp 0 0 *:finger *:* LISTEN 732/xinetd
tcp 0 0 *:http *:* LISTEN 3137/smbd -D
tcp 0 0 *:auth *:* LISTEN 677/identd
tcp 0 0 *:cfinger *:* LISTEN 3137/smbd -D
tcp 0 0 *:ftp *:* LISTEN 732/xinetd
tcp 0 0 *:ssh *:* LISTEN 699/sshd
tcp 0 0 *:telnet *:* LISTEN 732/xinetd
tcp 0 0 *:65336 *:* LISTEN 15119/initd
tcp 0 0 *:squid *:* LISTEN 25241/xopen

tcp 0 0 localhost.localdom:smtp *:* LISTEN 759/sendmail: accep
tcp 0 0 *:https *:* LISTEN 3137/smbd -D
tcp 0 0 *:65436 *:* LISTEN 15119/initd
tcp 0 688 192.168.1.79:65336 213.154.118.200:1188 ESTABLISHED 15119/initd

udp 0 0 192.168.1.79:netbios-ns *:* 850/nmbd
udp 0 0 *:netbios-ns *:* 850/nmbd
udp 0 0 192.168.1.7:netbios-dgm *:* 850/nmbd
udp 0 0 *:netbios-dgm *:* 850/nmbd
udp 0 288 192.168.1.79:1039 192.168.1.1:domain ESTABLISHED -
udp 0 0 *:3049 *:* 25239/xopen
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 943 778/gpm /dev/gpmctl
unix 4 [ ] DGRAM 7984 3247/syslogd /dev/log
unix 2 [ ] DGRAM 15679 732/xinetd
unix 2 [ ] DGRAM 7993 3252/klogd
unix 2 [ ] DGRAM 1078 893/login -- root
unix 2 [ ] DGRAM 990 820/crond
unix 2 [ ] DGRAM 924 759/sendmail: accep
unix 2 [ ] DGRAM 834 677/identd
unix 2 [ ] DGRAM 804 657/apmd
unix 2 [ ] STREAM CONNECTED 417 1/init
Active IPX sockets
Proto Recv-Q Send-Q Local Address Foreign Address State

 

Thus we have:
- a SAMBA (smbd -D) daemon listening on http, https and cfinger ports (!),
- initd (modified by the rootkit) is listening on port 65336 and 65436. There is an active connection from an host in romania to port 65336 (as we see here the PsyBNC bouncer is running).
- xopen is listening on port 3049.

Xinetd starts finger, ftp, and telnet. pretty insecure, but this looks "normal" redhat linux behaviour...
Also nmbd (the other process of Samba) is behaving normally, opening the needed netbios ports.
On the other hand, we see that its counterpart smbd is not (see above).

 

So the list of PIDs is:

25239/xopen
3137/smbd -D
15119/initd
25241/xopen

 

 Previous  To answer N.4 --> Were there any active network connections? If so, what address(es) was the other end and what service(s) was it for?  Home