Hi, Well thats telling. So do you have chkroot-kit installed? Although you know you've got to have a root-kit on there. Anyway, it may help narrow your search of the directories and the changes within. -rickp On 5/3/06, Nick <list at everywhereinternet.com> wrote: > So pretty sure one of my boxes has been owned. Just wanted some advise > on what to do next. Obviously, i'll need to nuke the fecker and start > over but it would be really nice to find out how they got in as its a > CentOS 4.3 which is bang up to date. > > So i found: > > PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND > 7052 apache 25 0 27320 5348 8 R 99.0 0.5 736:52 0 uselib24 > > [root at box tmp]# netstat -lnp |more > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign > Address State PID/Program name > tcp 0 0 0.0.0.0:32768 > 0.0.0.0:* LISTEN 3012/rpc.statd > tcp 0 0 127.0.0.1:32769 > 0.0.0.0:* LISTEN 3138/xinetd > tcp 0 0 0.0.0.0:66 > 0.0.0.0:* LISTEN 3124/sshd > tcp 0 0 0.0.0.0:9865 > 0.0.0.0:* LISTEN 7031/bindz > tcp 0 0 0.0.0.0:3306 > 0.0.0.0:* LISTEN 14534/mysqld > tcp 0 0 0.0.0.0:111 > 0.0.0.0:* LISTEN 2993/portmap > tcp 0 0 0.0.0.0:80 > 0.0.0.0:* LISTEN 7031/bindz > tcp 0 0 0.0.0.0:113 > 0.0.0.0:* LISTEN 3138/xinetd > tcp 0 0 0.0.0.0:21 > 0.0.0.0:* LISTEN 3578/vsftpd > tcp 0 0 127.0.0.1:25 > 0.0.0.0:* LISTEN 10707/sendmail: acc > tcp 0 0 0.0.0.0:443 > 0.0.0.0:* LISTEN 7031/bindz > > Bindz.... hmm. telnetting to the port gave me a root shell - nice. My > firewall scripts should block that port but i don't know if they're > working now :( > > contents of /var/tmp was: > > -rwxrwxr-x 1 apache apache 19429 Jan 10 16:20 bindz > -rw-r--r-- 1 apache apache 2100 Jan 8 21:32 dc.txt > -rwxrwxr-x 1 apache apache 479843 Aug 3 2005 uselib24 > > dc.txt started: > > #!/usr/bin/perl > use IO::Socket; > #IRAN HACKERS SABOTAGE Connect Back Shell > #code by:LorD > #We Are :LorD-C0d3r-NT > #Email:LorD at ihsteam.com > # > #lord at SlackwareLinux:/home/programing$ perl dc.pl > #--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE > ==-- > # > #Usage: dc.pl [Host] [Port] > # > #Ex: dc.pl 127.0.0.1 2121 > #lord at SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121 > #--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE > ==-- > # > #[*] Resolving HostName > #[*] Connecting... 127.0.0.1 > #[*] Spawning Shell > #[*] Connected to remote host > > i might e-mail him and thank him. > > So what next? > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >