system seems hacked...

[Roger Oberholtzer]

On Mon, 2008-02-25 at 15:33 -0800, Bill Campbell wrote:
> On Thu, Feb 21, 2008, Roger Oberholtzer wrote:
> >On Fri, 2008-02-22 at 07:37 +1100, James McDonald wrote:
> >
> >> > Anyone seen/heard of this specific exploit?
> >> >
> >> >   
> >> No I haven't. Have  you tried chkrootkit and rkhunter to see if they can 
> >> identify it?
> >> 
> >> Also probably not going to work if it's hiding itself but try pstree 
> >> which may show you the parent process.
> >
> >I cross posted to the openSUSE list (as that is where this was running).
> >All is sorted. Seems it was:
> >
> >	http://www.energymech.net/
> >
> >which is a non-root IRC bot. One thing it does is hide the real process
> >name. It was not /usr/bin/sshd. It was the IRC bot running from a user
> >folder with only that user's rights. Still, I am not happy. There will
> >be a password shakeup with the users!
> 
> This type of attack often is made via webmin or usermin exploiting bad user
> passwords.

I think we have narrowed it down to two users from the same location,
who's accounts were used to run the offending software. After our
password shake up, the problem is gone. So we will keep our password
requirements more aggressive.

Anyone know of a windows program that lets one set their Linux password?
I know that sounds like a crazy thing, but this was part of the problem.
I never did get the Linux system to authenticate some users via a
Windows server, which would make this a bit easier for me. Newer
releases of openSUSE allow you to set this up automatically. But the
release on the two servers involved in this cannot easily be updated in
the time I have available for this work. It will happen. But not today.
The use (or, rather, not using) of Windows passwords on the Linux server
is the biggest problem in my Linux/Windows integration.

-- 
Roger Oberholtzer

OPQ Systems / Ramböll RST

Ramböll Sverige AB
Kapellgränd 7
P.O. Box 4205
SE-102 65 Stockholm, Sweden

Office: Int +46 8-615 60 20
Mobile: Int +46 70-815 1696