Hi, sigh... yes... some of our servers have been hit with the "SSH CRC-32 compensation attack detector vulnerability" attack.
some servers have been compromised, and the usual rootkit stuff (install root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). What is an easy way to locate binaries that are different from the ones provided in the original debs? And is there any other relatively easier way of cleaning up a system that has had a rootkit installed? We've done a netstat -a and removed/killed all strange processes, and cleaned inetd.conf as much as we can, but some of the programs in inetd.conf have themselves also been tampered with (eg. in.telnetd). Please help... I have a bad feeling the crackers are coming back real soon to really finish off the job... so any help at this time in removing all their crap would be greatly appreciated. Sincerely, Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
