This is a me too email. I found one overlooked machine that was compromised on 16th of December.
The usual process related things replaced: free pgrep pmap skill snice tload uptime w kill pkill ps slabtop sysctl top vmstat watch All of these were chattr +ai, as if that was going to stop someone who knows what's going on :-) One process hidden, called dropbear. It was easy to find when comparing the output of the hacked ps with the actual content of /proc, and then checking the /proc/pid/exe symlink. Since kill was also replaced, I quickly wrote a wrapper in C for the kill() system call, and sent it a KILL signal. The rest of the machine appears untouched, but I'll probably reinstall anyway. Cheers, Izak -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlkti=xotx6cowzqzjhy-x1m+mae6rjazekqwgrv...@mail.gmail.com
