On 21 Feb 2009 at 0:46, Jean-Francois wrote: > Hi All, > > It looks like my server running since few days has already been hacked. > It looks like a new user called 'daemon' ID 1 and a new group daemon. > User's full name 'The devil itself' !!!! First time I find out evidence > of hack on my server, however it's only one month running !! > > It looks like ntpd was the entry daemon connected to other than ntp site > but I'm not sure. > I am not sure at all about this, maybe one has changed the daemon. > After I checked the adresses that this daemon connected to, they were > very strange as webservers content (blogs, default page 'It works' and > so one ... I guess ntp servers shall not act like this). > > Please find enclosed the ntpd server md5 print, one could check > if /usr/sbin/ntpd (OpenBSD 4.4) has the same print ? > md5 print of ntpd daemon (/usr/sbin) on my OpenBSD 4.4 : > a0c8961d5818b438ecbfd6c40be47a5f > > Thanks for your kind help. > >
Thank you for helping me finish an ardous week with a hearty laugh! ROTFL
