Quote:
Originally Posted by SplitInfinity
You should check your servers for the following:
Directories that should not be there... if they are, contact me...
/dev/k4rd
/dev/k4rd/proc.k4rd
In your /lib directory, this will surely tell you your system has been rooted:
[root@mail ~]# cd /lib
[root@mail lib]# grep k4rd *
Binary file libutil-2.3.3.so matches
Binary file libutil-2.3.4.so matches
Binary file libutil-2.3.5.so matches
All three of those files are kernel libs that totally give the guy control
of your system. In our case, were owning him right now...... lol
Note to all: Nats has been VERY helpful in the situation.
they have heard of this same person before, he is apparantly in australia.
I want to say that anyone using NATS is in good hands, these guys are all
talking to me as I uncover all of this so they can jump on whatever they need to jump on to get things fixed (if they need to advise people to upgrade mysql for example or whatever)
|
And now ask yourself, how did he get inside? How was he able to write in /dev or /lib, and what did he do to secure the access to return back. The sniffer is least of your problems.