This is a me too email. I found one overlooked machine that was compromised on 16th of December.
The usual process related things replaced: free pgrep pmap skill snice tload uptime w kill pkill ps slabtop sysctl top vmstat watch All of these were chattr +ai, as if that was going to stop someone who knows what's going on :-) One process hidden, called dropbear. It was easy to find when comparing the output of the hacked ps with the actual content of /proc, and then checking the /proc/pid/exe symlink. Since kill was also replaced, I quickly wrote a wrapper in C for the kill() system call, and sent it a KILL signal. The rest of the machine appears untouched, but I'll probably reinstall anyway. Cheers, Izak -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
