|
#1
March 5th, 2007, 09:08 PM
| |||
| |||
 pcyanwherestat trojan on TCP port 22? Ok, read the stickies, no viruses.. I have an odd situation however, and I will start from the beginning. I own a colo company, still finalizing my configs and I have 2 gig-e connections from two providers that I am in the middle of mutihoming. Lets call them A & B. I just added 2 xserves and 4 Mac mini's last week (mini's are OS X, not server), installed them, did the updates and turned off SSH, leaving only remote desktop on as the only form of access. A few days ago I moved all of the machines except one mini to the B subnet. The next day I turned on SSH to get into my one xserve to start configuration, and no luck, a ssh -vvv showed invalid name and no realm specified, aong wth a paramater was malformed. So, I went through google and tried all the fixes, with no luck. I figured it was the updates, so I called apple support and did a portscan, all of the machines on B show port 22 as "pcanywherestat". The machine on the A subnet shows SSH for port 22. They said this was becoming a very common issue, but had no idea what it was. Ok, so these machines are fresh and have nothing but the pre-installed OS X apps, except my one xserve which is doing some php apps for my website. So, considering that the affected machines are all on the same subnet and became affected when moved to that subnet suggests that it is a trojan.. Anyone have any idea? Beyond not knowing what it is and what it is doing, which worries me, I also have no SSH access, which I would like to use  Also, no symantec stuff installed, and pcanywherestat would never run on 22... so I am sure this process is stopping SSH. A spotlight seach found nothing for pcanywhere. here is a portscan of one of my machines 1-100: Port Scan has started ... Port Scanning host: xxx.xxx.xxx.xxx Open TCP Port: 21 Open TCP Port: 22 pcanywherestat Open TCP Port: 53 Open TCP Port: 80 Port Scan has completed ... Last edited by atlantian2004; March 5th, 2007 at 09:39 PM.  |
|
#2
March 5th, 2007, 09:31 PM
| |||
| |||
| Ok, I found some info, but this is still odd that only my machines on the new subnet are affected: PORT 22 - Information Port Number: 22 TCP / UDP: UDP Delivery: No Protocol / Name: ssh,pcanywherestat Port Description: pcAnywhere Status. Default udp status port for v2.0 thru v7.51, plus CE. Versions v8+ on use tcp 5631 & udp 5632. Virus / Trojan: No I have done all the SSH fixes possible pertaining to the debug info, and it is odd that all of my new machines are affected.. |
|
#3
March 5th, 2007, 09:35 PM
| |||
| |||
| Also, the port scan says tcp port 22, not UDP.. and after fruther reading, obly old versions of pcanywhere use 22 UDP. |
