I think one of my machine got hacked, but I can figure out from where...
I found some suspicious file in /bin and /usr/bin directories that are owned by user id 122, where this machine doesn't a userid 122.
So, does anyone hav a centos 3.9 install arround that can send me the info
One of our investigators has collaborators around the world, on old machines, so we have this: 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 GNU/Linux Note they may be different on your machine.
about (filesize, md5, modification date) these file :
/bin : ls netstat ps
-rwxr-xr-x 1 root root 67700 Jun 12 2007 /bin/ls -rwxr-xr-x 1 root root 83800 May 22 2007 /bin/netstat -r-xr-xr-x 1 root root 64076 Apr 19 2006 /bin/ps
e102f6c3dde4043908ed001e1587b1d2 /bin/ls bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat fc3369b3564e00f877387a13bf3f467a /bin/ps
Dammm...
mds5um has been tempered with also... It return those expected values, but a md5sum programm I took elsewhere was returning another value...
Dammm...