[CentOS] Compromised

Miark mlist2 at gardnerbusiness.com
Wed Sep 10 03:24:49 UTC 2008

My wife's office server was compromised today. It appears
they ssh'ed in through account pcguest which was set up for
Samba. (I don't remember setting up that account, but maybe I
did.) At any rate, I found a bazillion "ftp_scanner" processes
running. A killall finished them off quickly, I nuked the
pcguest account, and switched ssh to a different port (which 
I normally do anyway). 

I used 'find' to locate ftp_scanner, which was running in a
folder under /var/tmp. It seems that before I could nuke the
directory, it nuked itself! 

Because it was running from /var/tmp, and because 'find' and
'ps' were not compromised (in that they did not hide the
ftp_scanner processes or files), I'm thinking the attacker 
really didn't get any further than eating some bandwidth. 

I suppose I have no choice but to re-install, but I thought I'd
run I'd get some feedback first. (Something other than, "Way to
go, moron.") In the meantime, I'm pulling the plug.


More information about the CentOS mailing list