system seems hacked...
Roger Oberholtzer
roger at opq.se
Thu Feb 21 13:16:10 PST 2008
On Fri, 2008-02-22 at 07:37 +1100, James McDonald wrote:
> > Anyone seen/heard of this specific exploit?
> >
> >
> No I haven't. Have you tried chkrootkit and rkhunter to see if they can
> identify it?
>
> Also probably not going to work if it's hiding itself but try pstree
> which may show you the parent process.
I cross posted to the openSUSE list (as that is where this was running).
All is sorted. Seems it was:
http://www.energymech.net/
which is a non-root IRC bot. One thing it does is hide the real process
name. It was not /usr/bin/sshd. It was the IRC bot running from a user
folder with only that user's rights. Still, I am not happy. There will
be a password shakeup with the users!
--
Roger Oberholtzer
OPQ Systems / Ramböll RST
Ramböll Sverige AB
Kapellgränd 7
P.O. Box 4205
SE-102 65 Stockholm, Sweden
Tel: Int +46 8-615 60 20
Fax: Int +46 8-31 42 23
More information about the Linux-users
mailing list