Hi, Today a RedHat 7.1 Linux machine of my friend was compromised. I have just started investigating, so I don't have any information of how it was done. After attack login via console stopped working. I have found the following files in /usr/bin: xchk and xsf. They are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon sitting on port 14859. I don't know what is the purpose of xchk. killall and ps were also replaced by programs which hide xsf and xchk. Does anyone saw something similar before and can point me to some information? I tried searching for xsf / xchk in Google and didn't have any results. -- Best Regards Vladimir Ivaschenko Certified Linux Engineer (RHCE) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 10:21:57 PST