"Albert E. Whale" wrote:
>
> I'm not real proud of this information, but I am passing it along
> because of what I found and how the hackers have disguised their
> malicious use of Linux. I have Linux-Mandrake 7.1 with some
> enhancements towards 7.2.
>
> Today I found that several unwanted guests have been able to connect via
> ftp (not any more!). I also found some mysterious files 'running' on
> the server. I was able to detect the processes using the monitor
> utility (or top). However, I was UNABLE to find the processes in the ps
> -ax output?????? I've never seen this before. Is this a new exploit?
>
> Imagine attempting to find a command called t0rntd on your computer, and
> not being able to detect in the Process List. After looking for that
> program and coming up blank I was able to kill the process, even though
> the Process ID was not detected in the Process Table (also a New one).
>
> In fact, the ONLY WAY I was able to detect this malicious process
> running was to perform a find command. It was found, in a directory
> called /usr/src/.puta/stachel/t0rntd
>
> Now mind you, you could not get a directory list for the tree /usr/src
> to display the .puta directory. It just wasn't there. You could cd
> into the directory, I have since renamed the directory.
>
> I am curious exactly how do you create a dot directory (i.e. .puta) so
> that it is invisible to the ls -la command?
>
> Additionally, how do you run a process and eliminate it from the process
> table?
>
> It appears that the strings within the applications found on my Web
> server are looking for Red Hat, FreeBsd, Suse and other systems with the
> wuftpd packed version 2.6.0. PLEASE REMOVE THIS PACKAGE FROM YOUR
> ENVIRONMENT!
>
> Any answers to my questions are appreciated. I have already contacted
> the FBI and I am monitoring my environmnet with a closer eye on the
> logfiles.
>
> --
> Albert E. Whale - http://www.abs-comptech.com/aewhale.html
> ----------------------------------------------------------------------
> ABS Computer Technology, Inc. - Computer & Networking Specialists
> Sr. Network, Security and Systems Consultant
> HP Networking & Openview, Royalty Class Consultant -
> http://forums.itrc.hp.com
>
> The Father's Rights Network -
> http://www.abs-comptech.com/frn/frnhome.html
> The Pennsylvania Parenthood Initiative - PAPI - Children need BOTH
> Parents
> - http://www.geocities.com/Heartland/4688/papi.htm
Congrats
You are the proud owner of a root kit!
Basically it is a set of commands that get installed on you system that
ignores the intruder.
My advice is take that server offline and redo it completely you can not
trust it again.As they probably have root and can play with you as they
wish and then destroy the server or whatever it.
So get the message?
Fdisk and redo!!!
Cheers
Stefaans
