My home system has been hacked. It's running CentOS 4.4, and I
recently added an account to play around with Samba shares to back up
PCs here at home. I had set a weak password for that account and
forgot to disable it after my testing. I could hear the disk being
accessed constantly, so I knew something was up. I disabled the port
forwarding to my CentOS box on my Linksys router (only ports 22 and
80 were being forwarded). After some poking around, I found the
following files in the directory "/var/tmp/ /.. ":
-rw-rw-r-- 1 backup backup 9468 Dec 1 00:20 azi2.seen
-rw-rw-r-- 1 backup backup 9513 Dec 1 00:20 azi3.seen
-rw-rw-r-- 1 backup backup 9513 Dec 1 00:20 azi4.seen
-rwxr-xr-x 1 backup backup 504464 Feb 10 2005 -bash
-rwx--x--x 1 backup backup 22936 Feb 10 2005 kswap.help
-rw-r--r-- 1 backup backup 1085 Dec 1 00:00 kswap.levels
-rw------- 1 backup backup 5 Nov 29 17:28 kswap.pid
-rw-r--r-- 1 backup backup 1480 Dec 1 00:00 kswap.session
-rw-r--r-- 1 backup backup 4731 Dec 25 2005 kswap.set
-rw-r--r-- 1 backup backup 165073 Dec 1 00:26 LinkEvents
-rw-r--r-- 1 backup backup 258 Dec 1 00:00 mech2.users
-rw-r--r-- 1 backup backup 258 Dec 1 00:00 mech3.users
-rw-r--r-- 1 backup backup 258 Dec 1 00:00 mech4.users
-rw-r--r-- 1 backup backup 258 Jun 28 1999 mech.users
-rwxr-xr-x 1 backup backup 174396 May 17 2004 pico
Anyone recognize this root kit (if that is what it is)? I've
disabled the backup account, and re-enabled port forwarding on my
router (so I can access the system from home). Other than deleting
these files, is there anything else I should worry about? I'd rather
not re-install the OS...
Alfred
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
