john, replies below... > Linux Advocate wrote: > > DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK??? > > AAAAAAHHHHHHHHHHHHHHHHHHHH??????????????? > > > > Was this why rkhunter popped out with this warning? > > > > * Filesystem checks > > Checking /dev for suspicious files... [ OK ] > > Scanning for hidden files... [ Warning! ] > > --------------- > > /etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev > > --------------- > > Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, > max compression) /dev/.udev (directory) > > > > Should i delete these files? are the man files nromally .gz or .bz2 ? > > > > There is also a similar entry, where another file called unix2.tgz was > downloaded.... > > > > But i cant find these files on the HDisk? > > guys i am out of my league here. All assistance is deeply appreciated. > > > > I *hope* this machine is disconnected from the internet and running a > liveCD to investigate this yes. but i havent formatted it yet bcos i need to understand what happened... i still cant believe a centos box that was regularly updated , patched was hacked > yes, it appears you've been hacked, and have stealth files (any file > with . in front oft he name is hidden and would only show with ls -a and > if you *are* rootkitted, there's a strong possibility your ls and other > command tools have been replaced.. i dont think the attacker got root ownership or else the log files would have been altered or deleted. > and, it appears it came in via an exploit in that horde framework (I > know nothing about horde) > hopefully more members on the list will weigh in on this. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos