On Sun, Jan 1, 2012 at 4:23 PM, Bennett Haselton <bennett at peacefire.org> wrote: > > So, following people's suggestions, the machine is disconnected and hooked > up to a KVM so I can still examine the files. I've found this file: > -rw-r--r-- 1 root root 1358 Oct 21 17:40 /home/file.pl > which appears to be a copy of this exploit script: > http://archive.cert.uni-stuttgart.de/bugtraq/2006/11/msg00302.html > Note the last-mod date of October 21. Did you do an rpm -Va to see if any installed files were modified besides your own changes? Even better if you have an old backup that you can restore somewhere and run an rsync -avn against the old/new instances. > Anywhere else that the logs would contain useful data? /root/.bash_history might be interesting. Obviously this would be after the fact, but maybe they are trying to repeat the exploit with this machine as a base. -- Les Mikesell lesmikesell at gmail.com