VA Linux 6.2.4, Internet Server runing Sendmail, DNS, radius, and HTTP/FTTP services. Two identical servers have been hacked by the same people.
The command line used in not in the keystroke buffer, but from the PS command we get this:
"./s3 0 126.96.36.199 1 56650 1 800"
The intruder apparently created the following folders:
/dev/. /s3 (there is a space after the period)
The s3 folder has several megs of files in to it, we're not sure if it's a legitimate folder renamed, or if files have been copied to it. The PS command shows only the line above with the intruder's IP address, and several lines of NFSIOD and OSDBO. We rebooted one machine, and it's toast, would not boot back up, and we're afraid to reboot the other just yet for the same reason. When the intruder attaches, we can disconnect him and he'll reattach almost immediately. While he's attached, our graphs shows heavy data being transfered.
Does anybody recognize this hack process? Can you me tell what it's doing, and most importantly how to reverse the effects before this system crashes?
I'm offering all the points I have!
Also posted in Network Security for 300 points!