--- On Wed, 10/9/08, Miark mlist2@gardnerbusiness.com wrote:
From: Miark mlist2@gardnerbusiness.com Subject: [CentOS] Compromised To: centos@centos.org Date: Wednesday, 10 September, 2008, 3:24 AM My wife's office server was compromised today. It appears they ssh'ed in through account pcguest which was set up for Samba. (I don't remember setting up that account, but maybe I did.) At any rate, I found a bazillion "ftp_scanner" processes running. A killall finished them off quickly, I nuked the pcguest account, and switched ssh to a different port (which I normally do anyway).
I used 'find' to locate ftp_scanner, which was running in a folder under /var/tmp. It seems that before I could nuke the directory, it nuked itself!
Because it was running from /var/tmp, and because 'find' and 'ps' were not compromised (in that they did not hide the ftp_scanner processes or files), I'm thinking the attacker really didn't get any further than eating some bandwidth.
I suppose I have no choice but to re-install, but I thought I'd run I'd get some feedback first. (Something other than, "Way to go, moron.") In the meantime, I'm pulling the plug.
Miark _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
See http://mirror.centos.org/centos-4/4.6/docs/html/rhel-sg-en-4/ch-exploits.htm... Hackers use scanners that use accounts like "test", pcquest etc A while back I set up a system on VMWare with a blank password for the "test" account. Unfortunately they did not fall for it. In the meantime, secure your server.