vadimII

I think I've been hacked. I one day after letting http and ftp pass though my router so I can host some files, I came home to find my sever flooding the network. I noticed a thread process that I think may have something to do with the problem. The process was called /root/vadimII. I did a google search for the name and found only 2 returns, but they were about being hacked. Has anyone heard of this hack? If I clean install RH 8.0 would it fix this problem from happening. The machine was not logged into as root. I am at a loss. If anyone can help I would be grateful. jeff

Ok. Your goal will be to reformat your drive and then reinstall Linux from scratch. Sorry, ain't no other way.

Preparations.
Stance. You must regard every aspect of this box as untrusted. This means no unauthorized access to the box, no unauthorized transfers from/to the box, and no execution of binaries on the box.
Disconnect. First thing is to disconnect your box from the network.
This will deny remote access to the box, disabling any way a cracker has to fsck with your box after she's been found out.
Notify. Notify people you deal with if necessary. Notify CERT if necessary. Firing of a warning will make sure people you deal with have a chance to examine their boxen for data integrity and malicious activity.
Investigate. Now you will have to make a choice depending on your knowledge and resources. If you want to find out how the cracker entered the box you will have to make a disk image to a spare drive. Do not use binaries from that box! Instead boot tomsrtbt, Biatchux or your distro's rescue CD or floppies.
With the image you can later on examine it's contents, restore deleted files and try to build a timeline to find out which services where compromised to allow access.
* Running "ps" won't matter. If a Linux Kernel Module (LKM) like Adore was used, processes and dirs will be hidden. Adore will work after a reboot.
If you don't want to investigate in full, then save your human readable logfiles and configs. Store write protected, mark "contaminated" so you do not use them by incident or w/o verifying contents. Do not attempt to save binaries.
*If you have saved a copy of an Aide or Tripwire database on read-only media, you may run a check by booting the checker binary from trusted, read-only media only.
Format and reinstall. Formatting the disks and the MBR will make sure no data is left to gain access.

Post ops.
You will have to examine backups for their validity. Destroy if unsure.
Replace all passwords. If you don't, then gaining access will be easier. You cannot assert a cracker did not mail out passwords from your box. The same goes for other means of authentication like ssh auth.
Before you put the box back in the network, make a "baseline" database with a system integrity checker like Aide, Samhain or Tripwire. Store the db on readonly media. Remove unwanted software and services. Upgrade all services you will run. Update all software you will run. Harden the box using Bastille-Linux or similar. Place restrictions on users and ultimately add precautions in the system and kernel that will disable easy cracking methods like the Grsecurity kernel patches.

More info:
*Ive compiled my list of references a while ago, so theres lotsa stuff inhere you might not be interested in at this point, maybe later on, HTH:

Basic references:
- AUSCERT UNIX Computer Security Checklist (Version 1.1) www.cert.org/tech_tips/AUSCERT_checklist1.1
- Steps for Recovering from a UNIX or NT System Compromise www.cert.org/tech_tips/root_compromise.html
In fact read the whole of http://www.cert.org/tech_tips/
- The CIT Computer Security Handbook: www.cit.nih.gov/security/handbook.html
- Aging stuff from Phrack, good to read back to be sure, like "Unix System Security Issues" www.fc.net/phrack/files/p18/p18-7.html
- SEI stuff like www.sei.cmu.edu/publications/lists.html handling IDS
- Intrusion Detection and Network Auditing on the Internet www.infosyssec.net/infosyssec/intdet1.htm

Top it off with some reading material on security:
- Security tips: www.cert.org/tech_tips/ and www.cert.org/security-improvement/, http://www.securityportal.com/resear...xsecurity.html
- Top ten vulnerabilities: www.sans.org/topten.htm and http://www.cert.org/present/cert-ove...ends/index.htm
- Firewalling: www.infosyssec.net/infosyssec/firew1.htm, www.linux-firewall-tools.com/linux/
- Securing Xwindows: http://www.uwsg.indiana.edu/usail/ex...d/xsecure.html

Basic Linux references:
http://www.sans.org/infosecFAQ/linux/linux_list.htm
- The SANS Reading room: Linux issues (used Google's cache),
- the LASG or Linux Administrator's Security Guide,
- Securing Optimizing Linux RH Edition(1),
- Linux Security HOWTO,
*Linuxsecurity.com have a Quickreference pdf card.
Post-Installation Security Procedures (Linuxjournal)
- Security Quick-Start HOWTO for Linux,
- The Linux-PAM System Administrators' Guide
- Armoring Linux,
- A Short Course on Systems Administration and Security Under Unix(1)
- SAG: The Linux System Administrator's Guide,
- Basics on firewalling: www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
- Basic introduction to building ipchains rules: www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
- Explanation of the Ipchains logformat: logi.cc/linux/ipchains-log-format.php3
- Ipchains log decoder: dsl081-056-052.dsl-isp.net/dmn/decoder/decode.php
- The Iptables HOW-TO: http://people.unix-fu.org/andreasson/index.html
- LQ notes on Linksys security: http://www.linuxquestions.org/questi...007#post157007
- The Unix Auditor's Practical Handbook: http://www.nii.co.in/tuaph.html,
Neohapsis archives: http://www.neohapsis.com
Linux Gazette: http://www.linuxgazette.com
Experts exchange: http://www.experts-exchange.com
Linuxsecurity.com, SecurityFocus.com
Matt's Unix Security Page: http://www.deter.com/unix/
IRIA: http://www.ists.dartmouth.edu/IRIA/k...base/index.htm
E-secure-db Security Information database: http://www.e-secure-db.us/dscgi/ds.p...ollection-1586
eBCVG.com's security portal: http://www.ebcvg.com/info.php
Jay Beale's docs (Bastille-linux/CIS): http://www.bastille-linux.org/jay/se...icles-jjb.html
Snort: IDS Installation with Mandrake 8.2, Snort, Webmin, Roxen Webserver, ACID, MySQL: http://www.linux-tip.net/workshop/id.../ids-snort.htm
Snort: Database support FAQ: http://www.incident.org/snortdb/
How to Build, Install, Secure & Optimize Xinetd: http://www.openna.com/documentations...netd/index.php
Linuxmag: Hardening Linux Systems: http://www.linux-mag.com/2002-09/guru_01.html

Finally, about Vadim. From source code of predecessors vadim and vadimI we see vadimII is named after romanian politician called Corneliu Vadim Tudor. If sniffed on the wire a clue for marking payloads in the source: #define Vadim_STRING "0123456789" which does send(s, Vadim_STRING, Vadim_SIZE, 0); later on. Running strings on the binary reveals text "Vadim v.II[beta release] by Luciffer".
Like sl2, sl3 or slice they are DoS flooders. If unpacked from default archives it'll usually be in the vincinity of more flooders, IRC bouncers, (broadcast address) scanners. If hidden with a LKM like Adore dirs and processes will not show up on reboot.

Good luck.