[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] SuSE 8.1 hacked?


I just got some services (mysql, postfix, cvs...) shut down, took a look at 
/tmp, and found a miro.tgz and a "miro" executable.

On the executable you can read:

.-= Backdoor made by Mironov =-.
.-= Running =-.

I don't know how much this attack may have compromised the system.

Under /var/log/ there are no clues on how they may have entered, 
/var/log/messages has been deleted.

Directories like /tmp or /var have changed permissions since the attack to 700

Now ssh works really slow unless connected to Internet, and I feel very 
unconfortable about connecting this server again to the Internet.

The systen is a SuSE 8.1, I had it a little forgotten lately, tough.

Doesn anybody know anything about how they may have entered the system and how 
can I arrange it? I'm seriously thinking about installing a SuSE 9.0, but 
want to know what happened before doing anything.

Thaks in advance.

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here