Re: Long Exim break-in analysis
This is a me too email.
I found one overlooked machine that was compromised on 16th of December.
The usual process related things replaced:
free pgrep pmap skill snice tload uptime w
kill pkill ps slabtop sysctl top vmstat watch
All of these were chattr +ai, as if that was going to stop someone who
knows what's going on :-)
One process hidden, called dropbear. It was easy to find when
comparing the output of the hacked ps with the actual content of
/proc, and then checking the /proc/pid/exe symlink. Since kill was
also replaced, I quickly wrote a wrapper in C for the kill() system
call, and sent it a KILL signal.
The rest of the machine appears untouched, but I'll probably reinstall anyway.