OK, I found it at /dev/gdm/.n2o/ I do not know if this directory itself
is legal? The "eggdrop" exec is dated April 1st, which is surprising since
I installed my system on March 23rd!!! I have only used ssh to that
machine and disabled "finger, talk, telnet, ftp ..." I could not
understand most of the config files in the eggdrop directory. Could anyone
help me reading them if I post them on the web? :)
I renamed this eggdrop exec file and killed the running process. It has
not come back so far. I did not see anything in the crontab directories
though. There is nothing in /var/log/secure too. However there are a lot
of stuff in /var/log/messages.2 and /var/log/messages.3. I noticed that
"named" is very active in message1. I planned to run DNS on that computer
and had named running but did not really get time to config it. So, it is
unlikely that it will get too many DNS requests. But most of those named
activities seem to be hourly clear-up work. Is that normal? message.2
recorded several "su"'s for user "news". That is strange too ...
Oh wait ... the log says that he restarted inetd on April 1st too. He has
restarted the services I disabled, especially "shell" and "rlogin". I
think he must have gained root access to modify "inetd.conf"?
I know I should reinstall the system AGAIN! But since it is the second
time I got compromised, I will backup all my data from that computer and
try to see how the hacker works so that I can prevent future attack. I
will keep you guys posted about my discovery ...
Thanks
Michael
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
