Diego Brouard schreibt:
As you've seen you have been cracked by a "worm", it's called
RST.b.
In few words, it infect exectable files in /bin and in the current directory
from where you are executing an already infected binary. You were infected
because of a php bug and the ptrace bug.
Might be a side effect of the tools that were used.
A quick scan with f-prot shows several infected files on the server
www.slacks.hpg.ig.com.br:
www.slacks.hpg.ig.com.br/bin/telnetd Infection: Unix/RST.B
www.slacks.hpg.ig.com.br/bin/sslscan Infection: Unix/RST.B
www.slacks.hpg.ig.com.br/bin/rh Infection: Unix/Osf.A
www.slacks.hpg.ig.com.br/bin/mass Infection: Unix/Osf.A
www.slacks.hpg.ig.com.br/bin/co1 Infection: Unix/Osf.A
www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/makesalt Infection:
Unix/Osf.A
www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/psybnc Infection:
Unix/Osf.A
But AFAIK none of these viruses is able to get root rights, so the attacker
must have got root rights before.
