system seems hacked...
Jerry McBride
mcbrides9 at comcast.net
Thu Feb 21 17:00:18 PST 2008
On Thursday 21 February 2008 04:16:10 pm Roger Oberholtzer wrote:
> On Fri, 2008-02-22 at 07:37 +1100, James McDonald wrote:
> > > Anyone seen/heard of this specific exploit?
> >
> > No I haven't. Have you tried chkrootkit and rkhunter to see if they can
> > identify it?
> >
> > Also probably not going to work if it's hiding itself but try pstree
> > which may show you the parent process.
>
> I cross posted to the openSUSE list (as that is where this was running).
> All is sorted. Seems it was:
>
> http://www.energymech.net/
>
> which is a non-root IRC bot. One thing it does is hide the real process
> name. It was not /usr/bin/sshd. It was the IRC bot running from a user
> folder with only that user's rights. Still, I am not happy. There will
> be a password shakeup with the users!
Wow. That's frightening. Did you figure out how it was put on your server.
Knowing what it is, is one thing. Knowing how it got there is another.
Thanks for the info.
--
>From the Desk of: Jerome D. McBride
More information about the Linux-users
mailing list