I'm not real proud of this information, but I am passing it along
because of what I found and how the hackers have disguised their
malicious use of Linux. I have Linux-Mandrake 7.1 with some
enhancements towards 7.2.
Today I found that several unwanted guests have been able to connect via
ftp (not any more!). I also found some mysterious files 'running' on
the server. I was able to detect the processes using the monitor
utility (or top). However, I was UNABLE to find the processes in the ps
-ax output?????? I've never seen this before. Is this a new exploit?
Imagine attempting to find a command called t0rntd on your computer, and
not being able to detect in the Process List. After looking for that
program and coming up blank I was able to kill the process, even though
the Process ID was not detected in the Process Table (also a New one).
In fact, the ONLY WAY I was able to detect this malicious process
running was to perform a find command. It was found, in a directory
called /usr/src/.puta/stachel/t0rntd
Now mind you, you could not get a directory list for the tree /usr/src
to display the .puta directory. It just wasn't there. You could cd
into the directory, I have since renamed the directory.
I am curious exactly how do you create a dot directory (i.e. .puta) so
that it is invisible to the ls -la command?
Additionally, how do you run a process and eliminate it from the process
table?
It appears that the strings within the applications found on my Web
server are looking for Red Hat, FreeBsd, Suse and other systems with the
wuftpd packed version 2.6.0. PLEASE REMOVE THIS PACKAGE FROM YOUR
ENVIRONMENT!
Any answers to my questions are appreciated. I have already contacted
the FBI and I am monitoring my environmnet with a closer eye on the
logfiles.
--
Albert E. Whale - http://www.abs-comptech.com/aewhale.html
----------------------------------------------------------------------
ABS Computer Technology, Inc. - Computer & Networking Specialists
Sr. Network, Security and Systems Consultant
HP Networking & Openview, Royalty Class Consultant -
http://forums.itrc.hp.com
The Father's Rights Network -
http://www.abs-comptech.com/frn/frnhome.html
The Pennsylvania Parenthood Initiative - PAPI - Children need BOTH
Parents
- http://www.geocities.com/Heartland/4688/papi.htm
