Hallo, there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords.... Yesterday, such a ssh login was successful for users kevin and daikanyama. The hackers changed the passwords for both logins. They installed a certain program "undernet" as daikanyama and started a program called mech. After some minutes, I removed the network cable, killed all the processes of the users and disabled these users. Then, I figured out that some programs as grep did not work. I rebooted the machine, but during the reboot I got various "segmentation faults", "illegal instructions", .... I booted from an FC3 rescue CD, and I found out that various executables in /bin and /user/bin where manipulated (grep, egrep, gzip, rpm, mount, ...). I replaced these manipulated executlables by original files, but I forgot to replace gtbl. Then, the machine booted correctly. Later when gtbl was called, some executables in /bin and /user/bin where manipulated. It seems to be some virus, when you start a manipulated executable it manipulates other executables. I managed to replace all manipulated files and the machine seems to work correctly. My question is: They did not guess the root password, how did they manipulate files which are only writable by root??? Is anyone interested in log-files or in the programs which the hackers installed under daikanyama? Best regards, Daniel -- +++ Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl
