>> I think one of my machine got hacked, but I can figure out from where... >> >> I found some suspicious file in /bin and /usr/bin directories that are >> owned >> by user id 122, where this machine doesn't a userid 122. >> >> So, does anyone hav a centos 3.9 install arround that can send me the >> info > > One of our investigators has collaborators around the world, on old > machines, so we have this: > 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 > GNU/Linux > Note they may be different on your machine. >> about (filesize, md5, modification date) these file : >> >> /bin : >> ls >> netstat >> ps > > -rwxr-xr-x 1 root root 67700 Jun 12 2007 /bin/ls > -rwxr-xr-x 1 root root 83800 May 22 2007 /bin/netstat > -r-xr-xr-x 1 root root 64076 Apr 19 2006 /bin/ps > > e102f6c3dde4043908ed001e1587b1d2 /bin/ls > bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat > fc3369b3564e00f877387a13bf3f467a /bin/ps Dammm... mds5um has been tempered with also... It return those expected values, but a md5sum programm I took elsewhere was returning another value... Dammm...