john, replies below...
> Linux Advocate wrote:
> > DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK???
> > AAAAAAHHHHHHHHHHHHHHHHHHHH???????????????
> >
> > Was this why rkhunter popped out with this warning?
> >
> > * Filesystem checks
> > Checking /dev for suspicious files... [ OK ]
> > Scanning for hidden files... [ Warning! ]
> > ---------------
> > /etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
> > ---------------
> > Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix,
> max compression) /dev/.udev (directory)
> >
> > Should i delete these files? are the man files nromally .gz or .bz2 ?
> >
> > There is also a similar entry, where another file called unix2.tgz was
> downloaded....
> >
> > But i cant find these files on the HDisk?
> > guys i am out of my league here. All assistance is deeply appreciated.
> >
>
> I *hope* this machine is disconnected from the internet and running a
> liveCD to investigate this
yes. but i havent formatted it yet bcos i need to understand what happened... i still cant believe a centos box that was regularly updated , patched was hacked
> yes, it appears you've been hacked, and have stealth files (any file
> with . in front oft he name is hidden and would only show with ls -a and
> if you *are* rootkitted, there's a strong possibility your ls and other
> command tools have been replaced..
i dont think the attacker got root ownership or else the log files would have been altered or deleted.
> and, it appears it came in via an exploit in that horde framework (I
> know nothing about horde)
>
hopefully more members on the list will weigh in on this.