.mech
Tim
ignored_mailbox at yahoo.com.au
Mon Jul 7 14:08:35 UTC 2008
On Mon, 2008-07-07 at 08:49 -0500, Fedora User wrote:
> There has been a lot of traffic on a machine lately.
> Someone noticed a .mech/.stealth directory in /var/tmp/...
> which looks kind of like a virus. It does suspicious
> things. There is a file called cyc.pid which contains
> a process id. When I did a ps on the ID I found only
> "ps" was running. However, in that same directory I noticed
> an executable called "ps". The ps on ps showed it had been
> running for the last 4 or 5 days, and a regular linux ps runs
> no more than a few seconds. There is also an executable there
> called "pico" and several server files all pointing to undernet.org.
>
> Has anyone else run into this? Is it a virus? Is like an
> IRC bot. What can be done?
I Googled cyc.pid and found:
http://www.webhostingtalk.com/showthread.php?t=423617 It doesn't sound
good. But you should do more research than I did.
The other doesn't like nice, either:
http://www.google.com.au/search?q=%2Fvar%2Ftmp%2F+mech+stealth
Once you've worked out what to do about them (*try* and repair, and
possibly miss something, or wipe out and start again), look into making
your web server more secure *BEFORE* you make it accessible.
--
[tim at localhost ~]$ uname -r
2.6.25.9-76.fc9.i686
Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.
More information about the users
mailing list