Re: .mech

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 7 Jul 2008 08:49:37 -0500, Fedora User wrote:

> There has been a lot of traffic on a machine lately.
> Someone noticed a .mech/.stealth directory in /var/tmp/...
> which looks kind of like a virus.  It does suspicious
> things.  There is a file called cyc.pid which contains
> a process id.  When I did a ps on the ID I found only
> "ps" was running.  However, in that same directory I noticed
> an executable called "ps".  The ps on ps showed it had been
> running for the last 4 or 5 days, and a regular linux ps runs
> no more than a few seconds.  There is also an executable there
> called "pico" and several server files all pointing to undernet.org.
> 
> Has anyone else run into this?  Is it a virus?  Is like an
> IRC bot.  What can be done?

You've got an intruder. Take the machine off the network. Create a backup
for further analyzation. Don't trust the output of installed binaries
like ps. Examine the installation from within a rescue mode.
Also see what "chkrootkit" and "rkhunter" find.  
Reinstall unless you really really *really* think you can repair it.

Btw, what version of Fedora is this? And what kind of service is it?

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux