We've recently come across a rather popular hack. Several of our servers have already come across this. Originally, we thought it was related to the out of date kernels. The hack leaves behind :
/root/evil.tar.gz
Typical symptoms are the replacement of several core binaries. They include:
/bin/mv
/bin/mkdir
/bin/tar
sometimes:
/bin/ls
Rkhunter didn't turn up much.
We initially had this hack show up and noticed that our dedicated client was not up to date on his kernel. We reloaded the server/OS and installed the latest kernel. Within a day, the server is compromised again.
I'm investigating looking for the point of entry, but would like to see if anyone else has experienced this. On our other servers, reloading the OS and upgrading the kernel has seemed to prevent it, but it did in this latest case. Anyone else experience this?
I'll repost any information I uncover.
/root/evil.tar.gz
Typical symptoms are the replacement of several core binaries. They include:
/bin/mv
/bin/mkdir
/bin/tar
sometimes:
/bin/ls
Rkhunter didn't turn up much.
We initially had this hack show up and noticed that our dedicated client was not up to date on his kernel. We reloaded the server/OS and installed the latest kernel. Within a day, the server is compromised again.
I'm investigating looking for the point of entry, but would like to see if anyone else has experienced this. On our other servers, reloading the OS and upgrading the kernel has seemed to prevent it, but it did in this latest case. Anyone else experience this?
I'll repost any information I uncover.