john, replies below...
Linux Advocate wrote:
DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK??? AAAAAAHHHHHHHHHHHHHHHHHHHH???????????????
Was this why rkhunter popped out with this warning?
- Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ]
/etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix,
max compression) /dev/.udev (directory)
Should i delete these files? are the man files nromally .gz or .bz2 ?
There is also a similar entry, where another file called unix2.tgz was
downloaded....
But i cant find these files on the HDisk? guys i am out of my league here. All assistance is deeply appreciated.
I *hope* this machine is disconnected from the internet and running a liveCD to investigate this
yes. but i havent formatted it yet bcos i need to understand what happened... i still cant believe a centos box that was regularly updated , patched was hacked
yes, it appears you've been hacked, and have stealth files (any file with . in front oft he name is hidden and would only show with ls -a and if you *are* rootkitted, there's a strong possibility your ls and other command tools have been replaced..
i dont think the attacker got root ownership or else the log files would have been altered or deleted.
and, it appears it came in via an exploit in that horde framework (I know nothing about horde)
hopefully more members on the list will weigh in on this.