Life on the third coast

Trinoo on OSX

Dec. 2006
We were hacked! Bleh. I’ve spent the last two days hunting down what happened, reformatting and re-installing everything and tightening security.
Trinoo is a tricky little bugger. It is an old Solaris trojan that performs denial of service attacks. It is hard to find too. I ran about 20 nmap scans and only two out of those showed the fingerprint of the trojan.  The remaining ones came back clean.

12345/tcp open NetBus

12346/tcp open NetBus

27665/tcp open Trinoo_Master

31337/tcp open Elite

32770/tcp open sometimes-rpc3

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

54320/tcp open bo2k
Little Snitch caught ‘pong’ trying to call out and that was the final convincing point. I could not find good removal instructions and both commercial grade OSX virus programs I tried failed to find it.  What a surprise.  So had no choice but to do a clean format and re-install.
I have a newer version of “Little Snitch” running now. It is the best security program I’ve found for OSX.
I installed portsentry which kept many an attacker out of my linux boxes over the years.
An user on a local news forum told me about OpenWrt and X-wrt ( install them in that order, it was a totally painless install ) which is like giving your LinkSys box steroids. It’ll take a week or so to find my way through all the settings and properly secure everything.