We have a Redhat Linux v 7.2 system installed with cvsserver (also installed). Recently we put it into internet (telnet and rsh were disabled), however find it has been hacked meaning - system entered promiscuous mode, the passwd and other files has been modified. We are unable to access it locally or thorugh ssh.

Please advise in this regard how to find which files have been compromised/ changed! Please tell us how the intruder got thorugh and what must be done to prevent future occurence!

No offense, but with Redhat 7.2 (which is really, really old and I bet it's also unpatched) even user Joe should be able to hack you. If you are running a server it's vital to use an up-to-date and patched system...

Unplug your network cords, backup your important files (if they were not destroyed), format and reinstall the system. If you cant login as root, use a LiveCD to chroot your partitions and make the backups. Make sure to make a secure system next time you build a server. Take a look into OpenBSD if you want something secure and running a server with older hardware (as I think you do, since you are running an old Redhat OS)

Good luck though...

Some advisories on CVS from Redhat

FEDORA-2004-169: cvs
FEDORA-2004-170: cvs

RHSA-2003:012-07: Updated CVS packages available

mainly the double free bug
and some pserve related issues

and ifyou are not giving cvs access outright, maybe the ssh needed some updating as 7.2 isn't that up to date anymore.

RHSA-2002:043-10: Updated openssh packages available
RHSA-2002:127-18: Updated OpenSSH packages fix various security issues