We have noticed some unusual files on one of our webservers outside our
System: Suse linux 6.1
standard size of /bin/login : 325940 May 1 1999
new size /bin/login : 290652 May 1 1999
other odd files : /root/etc.z
/root/execute 0 bytes
/root/fetch 0 bytes
ps reported the following unusual process
/usr/sbin/sendmail -FCronDaemon -odi -oem -or0s -root
The machine is now offline of course. We will be re-installing a later
version of the OS today.
Does anybody recognise this as a known exploit?
The new login binary wasn't using the passwd file and wouldn't allow
logins from legit users.
Sysadm, Support, Technical
Internet solutions for business
1 Westgate, Otley, West Yorkshire LS21 3AT
Registered in England No 3229164
Registered office: 20-22 Bedford Row, London WC1R 4JS