[CentOS] Compromised

Wed Sep 10 03:24:49 UTC 2008
Miark <mlist2 at gardnerbusiness.com>

My wife's office server was compromised today. It appears
they ssh'ed in through account pcguest which was set up for
Samba. (I don't remember setting up that account, but maybe I
did.) At any rate, I found a bazillion "ftp_scanner" processes
running. A killall finished them off quickly, I nuked the
pcguest account, and switched ssh to a different port (which 
I normally do anyway). 

I used 'find' to locate ftp_scanner, which was running in a
folder under /var/tmp. It seems that before I could nuke the
directory, it nuked itself! 

Because it was running from /var/tmp, and because 'find' and
'ps' were not compromised (in that they did not hide the
ftp_scanner processes or files), I'm thinking the attacker 
really didn't get any further than eating some bandwidth. 

I suppose I have no choice but to re-install, but I thought I'd
run I'd get some feedback first. (Something other than, "Way to
go, moron.") In the meantime, I'm pulling the plug.