this tells me that the following programs have been replaced with
trojans:
ls
ps
most likely, the following programs were also hacked and replaced with
trojans:
/home/ftp/bin/ls
telnetd
netstat
ftpd
A re-install would be of importance now. Look in /etc/passwd for any
users that have userid and groupid of 0.
Expect the passwords in /etc/passwd or /etc/shadow to have been cracked.
bug
On Tue, 23 Jan 2001, Albert E. Whale wrote:
> I'm not real proud of this information, but I am passing it along
> because of what I found and how the hackers have disguised their
> malicious use of Linux. I have Linux-Mandrake 7.1 with some
> enhancements towards 7.2.
>
> Today I found that several unwanted guests have been able to connect via
> ftp (not any more!). I also found some mysterious files 'running' on
> the server. I was able to detect the processes using the monitor
> utility (or top). However, I was UNABLE to find the processes in the ps
> -ax output?????? I've never seen this before. Is this a new exploit?
>
> Imagine attempting to find a command called t0rntd on your computer, and
> not being able to detect in the Process List. After looking for that
> program and coming up blank I was able to kill the process, even though
> the Process ID was not detected in the Process Table (also a New one).
>
> In fact, the ONLY WAY I was able to detect this malicious process
> running was to perform a find command. It was found, in a directory
> called /usr/src/.puta/stachel/t0rntd
>
> Now mind you, you could not get a directory list for the tree /usr/src
> to display the .puta directory. It just wasn't there. You could cd
> into the directory, I have since renamed the directory.
>
> I am curious exactly how do you create a dot directory (i.e. .puta) so
> that it is invisible to the ls -la command?
>
> Additionally, how do you run a process and eliminate it from the process
> table?
>
> It appears that the strings within the applications found on my Web
> server are looking for Red Hat, FreeBsd, Suse and other systems with the
> wuftpd packed version 2.6.0. PLEASE REMOVE THIS PACKAGE FROM YOUR
> ENVIRONMENT!
>
> Any answers to my questions are appreciated. I have already contacted
> the FBI and I am monitoring my environmnet with a closer eye on the
> logfiles.
>
