[CentOS] Compromised

Wed Sep 10 08:52:59 UTC 2008
Josh Donovan <josh.dvan at yahoo.co.uk>

--- On Wed, 10/9/08, Miark <mlist2 at gardnerbusiness.com> wrote:

> From: Miark <mlist2 at gardnerbusiness.com>
> Subject: [CentOS] Compromised
> To: centos at centos.org
> Date: Wednesday, 10 September, 2008, 3:24 AM
> My wife's office server was compromised today. It
> appears
> they ssh'ed in through account pcguest which was set up
> for
> Samba. (I don't remember setting up that account, but
> maybe I
> did.) At any rate, I found a bazillion
> "ftp_scanner" processes
> running. A killall finished them off quickly, I nuked the
> pcguest account, and switched ssh to a different port
> (which 
> I normally do anyway). 
> 
> I used 'find' to locate ftp_scanner, which was
> running in a
> folder under /var/tmp. It seems that before I could nuke
> the
> directory, it nuked itself! 
> 
> Because it was running from /var/tmp, and because
> 'find' and
> 'ps' were not compromised (in that they did not
> hide the
> ftp_scanner processes or files), I'm thinking the
> attacker 
> really didn't get any further than eating some
> bandwidth. 
> 
> I suppose I have no choice but to re-install, but I thought
> I'd
> run I'd get some feedback first. (Something other than,
> "Way to
> go, moron.") In the meantime, I'm pulling the
> plug.
> 
> Miark
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

See http://mirror.centos.org/centos-4/4.6/docs/html/rhel-sg-en-4/ch-exploits.html 
Hackers use scanners that use accounts like "test", pcquest etc
A while back I set up a system on VMWare with a blank password for
the "test" account. Unfortunately they did not fall for it. In the
meantime, secure your server.