--- On Wed, 10/9/08, Miark <mlist2 at gardnerbusiness.com> wrote: > From: Miark <mlist2 at gardnerbusiness.com> > Subject: [CentOS] Compromised > To: centos at centos.org > Date: Wednesday, 10 September, 2008, 3:24 AM > My wife's office server was compromised today. It > appears > they ssh'ed in through account pcguest which was set up > for > Samba. (I don't remember setting up that account, but > maybe I > did.) At any rate, I found a bazillion > "ftp_scanner" processes > running. A killall finished them off quickly, I nuked the > pcguest account, and switched ssh to a different port > (which > I normally do anyway). > > I used 'find' to locate ftp_scanner, which was > running in a > folder under /var/tmp. It seems that before I could nuke > the > directory, it nuked itself! > > Because it was running from /var/tmp, and because > 'find' and > 'ps' were not compromised (in that they did not > hide the > ftp_scanner processes or files), I'm thinking the > attacker > really didn't get any further than eating some > bandwidth. > > I suppose I have no choice but to re-install, but I thought > I'd > run I'd get some feedback first. (Something other than, > "Way to > go, moron.") In the meantime, I'm pulling the > plug. > > Miark > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos See http://mirror.centos.org/centos-4/4.6/docs/html/rhel-sg-en-4/ch-exploits.html Hackers use scanners that use accounts like "test", pcquest etc A while back I set up a system on VMWare with a blank password for the "test" account. Unfortunately they did not fall for it. In the meantime, secure your server.