Someone was able to hack to our server probably thru wu-ftpd and changed the following files: /bin/login /bin/ps /bin/netstat /bin/ls /usr/bin/finger /bin/mail This hacker modified the root's .bash_profile and added the following lines: #mesg n #/usr/src/.puta/bnc /usr/src/.puta/saints >> /dev/null #/usr/src/.puta/stachel/t0rntd >> /dev/null #unset HISTFILE #unset HISTSAVE This hacker used our server for an IRC DDoS attack (probably part of the one used on Undernet DDoS as posted on slashdot). And he's also cleaning the syslog entries. If not thru wu-ftpd it was probably thru bind but our bind is already 8.2.2 P7. The hacked 'ps' doesn't show the processes. When I fixed the ps, it showed about 20 processes named lprsched (but is actually bnc). Anybody know of this attack. This is most likely local since his use of directory is .puta. I wasn't able to discover how he was cleaning up the syslog entries. Thanks -- Mike _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
