Recently our system was under attack by intruders using trojan code to
gain access to our system. Apparently they where trying to get one of
our servers to route IRC-traffic using psyBNC.
It seems like the intruders, probably using reppid to take over processes,
could hide their own processes in existing ones. Doing something like
ps -gaux won't show anything strange at all!
This makes it impossible to find and shut off unwanted processes.
Using netstat I could clearly see that "something" was listening on
ports that I didn't recognize. Doing netstat -ap only showed a dash '-'
instead of any process owning the socket.
The server was running Linux Redhat 7.2 (Kernel 2.4.7-10). Unfortunately
I cannot get anymore specific because the intruders seems to have rendered
the system unbootable before I had any chance of gathering info for
this report. But this bug (or feature) seems to affect all kernels,
Is there anyway to fix this "bug" or is it a built-in feature. So that
like reppid simply can't take over an existing PID.
Probably the intruders have been using something similar to the program
Reppid found at http://www.psychoid.lam3rz.de/reppid.c.
I would be grateful for an answer, even a simple "No,
it's not a bug, it's a feature" would help.
Carl Oeberg, (firstname.lastname@example.org)
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to email@example.com
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/