http bind problem ( unknown process )

From: arvid (arvid_at_inpact.nl)
Date: 12/07/04 

Date: 7 Dec 2004 10:28:43 -0800

Hi,

I had a problem with starting up httpd. It failed because the
BindAdress 0.0.0.0:443 was already in use.
A netstat -pam | grep 443 showed that a process R0nin was keeping this
port occupied. After i killed this process http started up again.

People suggested that my fedora box was hacked.

I did some checking today and tried to find some evidence for the
hacking. I have tried the following:

1. netstat -pan | grep 443 --> returned http 2. netstat -pan | grep
5002 ( default port rootkit) --> returend nothing 3. netstat -pan |
grep 31337 ( root shell port) --> returend nothing 4. ifconfig check
for PROMISC flag --> returend oke 5. checked deamons telnet( not
running) and sshd ( running only for allowed ip's) 6. portscan from 2
different servers and both returend only port 80, 8080 and ssh.
7. file check on /dev and searched for file beginning with ptys*. On
three different servers they where both the same. I suppose the are
within Fedora core.
8. echo * and compare the output with ls. Both the same so ls does not
seem to be infected by the trojan.
9. run the program chrootkit and the only strange thing was :
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Image/Magick/.packlist
/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi/auto/mod_perl/.packlist
/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi/auto/Gaim/.packlist

Everything else was " not infected"

10. no acces attempts in my secure and messages logs
11. Only wtmp looks strange.

Can I now be shure that there is nothing wrong with my box?