TCP 6006 and echo (port 7) Mandrake (possible new trojan?)

From: Joshua Kuo (kuom@hawaii.edu)
Date: 12/08/02 

From: Joshua Kuo <kuom@hawaii.edu>
Date: Sun, 08 Dec 2002 13:58:49 -0800

hi all:

i have 2 linux boxes both running Mandrake 8.2, and both have only SSH
and CUPS turned on. and X11 (port 6000) when i boot into X.

last night when i connected to my laptop at home from work, and tried to
start an X application (netscape), it failed and told me that the X11
traffic could not be forwarded.

after looking around in my laptop for a while, using nmap, netstat, ps,
and lsof, i still did not find anything that may have caused this, so i
decided to just restart my laptop (shutdown -r now).

to my surprise, my laptop did not come back to the network, i couldn't
even ping it.

this morning, i cam to work, and found that my laptop was booted, but did
not grab a DHCP address like it always does from our DHCP server. so i
statically assigned it an address, and started looking around again.
after playing with the laptop for a while, i grew suspiciou that perhaps
my box has been compromised. i did an nmap on my laptop (with X off), and
found out that TCP port 6006 is still open. i know that no one is logged
in (i *just* restarted it), and that X is not running, so there is no way
there should be any X traffic to be forwarded out of that port.

i nmapped my home box, and found out that it has the same problem. 6006
is open, and in addition, TCP port 7 (echo) is also open. i know i didn't
turn on echo. in fear that my home box will be compromised any further, i
have already shut it down.

when i try to telnet to port 6006 on my laptop, this is what i get:

# telnet localhost 6006
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.5-OpenSSH-2.9.2

this is wrong... i don't have OpenSSH 2.9.2 installed ANYWHERE. i have
both OpenSSH 3.1p1 and SSH 3.2.0, and has _never_ installed 2.9.2.

so someone secretly put it on... on both my laptop and my home box. and i
am trying to track down where this binary is.

does any one have any idea? the most obious symptom is that no matter
what i try, whatever i remove, port 6006 will *ALWAYS* be open. obviously
this is not a SSH 2.9.2 problem, because i never had it. it's some other
application that has a security hole (or just someone got my root
password) and got exploited. and whoever exploited it, installed SSH
2.9.2 to listen on TCP port 6006 for his/her convenience.

any help or pointer would be greatly appreciated. going off line...