On Mon, 7 Jul 2008 08:49:37 -0500, Fedora User wrote: > There has been a lot of traffic on a machine lately. > Someone noticed a .mech/.stealth directory in /var/tmp/... > which looks kind of like a virus. It does suspicious > things. There is a file called cyc.pid which contains > a process id. When I did a ps on the ID I found only > "ps" was running. However, in that same directory I noticed > an executable called "ps". The ps on ps showed it had been > running for the last 4 or 5 days, and a regular linux ps runs > no more than a few seconds. There is also an executable there > called "pico" and several server files all pointing to undernet.org. > > Has anyone else run into this? Is it a virus? Is like an > IRC bot. What can be done? You've got an intruder. Take the machine off the network. Create a backup for further analyzation. Don't trust the output of installed binaries like ps. Examine the installation from within a rescue mode. Also see what "chkrootkit" and "rkhunter" find. Reinstall unless you really really *really* think you can repair it. Btw, what version of Fedora is this? And what kind of service is it? -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
