Mark Haney mhaney at ercbroadband.org
Mon Jul 7 14:01:02 UTC 2008

Fedora User wrote:
> There has been a lot of traffic on a machine lately.
> Someone noticed a .mech/.stealth directory in /var/tmp/...
> which looks kind of like a virus.  It does suspicious
> things.  There is a file called cyc.pid which contains
> a process id.  When I did a ps on the ID I found only
> "ps" was running.  However, in that same directory I noticed
> an executable called "ps".  The ps on ps showed it had been
> running for the last 4 or 5 days, and a regular linux ps runs
> no more than a few seconds.  There is also an executable there
> called "pico" and several server files all pointing to undernet.org.
> Has anyone else run into this?  Is it a virus?  Is like an
> IRC bot.  What can be done?
> Tony

If those files are pointing to undernet, it's quite likely that the 
system doesn't have a virus on it, it's been compromised via (possibly) 
by an unpatched security hole.    What does checkrookit say?  Do you 
have that on the box at all?

I have to say your best bet is to take that system off the network so it 
can't communicate it with the controller and blow it away and reinstall. 
  That's especially true if you don't have a lot of forensic experience 
trying to track down either the security hole or the b*stard that 
compromised it.

As it is, it looks like the ps executable is being redirected to the one 
in /var/tmp and pico is (was) a vi/emacs editor that I've not used in 
ages and ages.

Seems like they have enough control to edit root config files and do 
pretty much what they want.

Libenter homines id quod volunt credunt -- Caius Julius Caesar

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

More information about the fedora-list mailing list