Fedora User wrote:
There has been a lot of traffic on a machine lately. Someone noticed a .mech/.stealth directory in /var/tmp/... which looks kind of like a virus. It does suspicious things. There is a file called cyc.pid which contains a process id. When I did a ps on the ID I found only "ps" was running. However, in that same directory I noticed an executable called "ps". The ps on ps showed it had been running for the last 4 or 5 days, and a regular linux ps runs no more than a few seconds. There is also an executable there called "pico" and several server files all pointing to undernet.org. Has anyone else run into this? Is it a virus? Is like an IRC bot. What can be done? Tony
If those files are pointing to undernet, it's quite likely that the system doesn't have a virus on it, it's been compromised via (possibly) by an unpatched security hole. What does checkrookit say? Do you have that on the box at all?
I have to say your best bet is to take that system off the network so it can't communicate it with the controller and blow it away and reinstall. That's especially true if you don't have a lot of forensic experience trying to track down either the security hole or the b*stard that compromised it.
As it is, it looks like the ps executable is being redirected to the one in /var/tmp and pico is (was) a vi/emacs editor that I've not used in ages and ages.
Seems like they have enough control to edit root config files and do pretty much what they want.
-- Libenter homines id quod volunt credunt -- Caius Julius Caesar Mark Haney Sr. Systems Administrator ERC Broadband (828) 350-2415 Call (866) ERC-7110 for after hours support -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
