On Sun, 2006-02-05 at 03:07 -0500, James Pifer wrote:
The first thing to do is run "ps auxfwwww" and look for anything that looks out of place. Feel free to post it here if you need help.
The only thing that looks out of place to me is the section of things being done by my hotmail account. I do have a hotmail account that I forward mail to using gotmail. Other than that I don't see anything obvious.
root 2392 0.0 0.2 5244 1232 ? Ss 2005 0:16 /usr/sbin/sshd root 15763 0.0 0.3 8020 1676 ? Ss Feb03 0:00 _ sshd: hotmail [priv] hotmail 15765 0.0 0.3 8184 1724 ? S Feb03 0:03 | _ sshd: hotmail@pts/7
Looks like someone may have guessed the password to this account. Use "netstat -plan" to find out what PID 15763 is connected to.
hotmail 6445 0.0 0.1 4428 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 63.200.0.0/16 hotmail 6446 0.1 0.0 308976 484 pts/3 Sl Feb04 1:25 | | _ ./f -h 63.200.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C
Also find out what these 2 executables are about. If they're binary then run strings on them.
And most importantly, run "usermod -s /sbin/nologin hotmail".