Slackware 10.2 (personal machine)
I was running a VNC server on a standard port, someone broke in. I wouldn't have known it unless I hit CTRL+V where the cracker left a URL that he copied to the clipboard. The URL pointed to this site which contains 2 Trojan files Trojan.BAT.Zapchast (win32 exe's). He definitely downloaded one of the files because it was marked as "visited" in Firefox but he then deleted it because its not there anymore. He may have hijacked my computer to scan for other computers for vulnerabilities.
http://www.promisance.co.uk/crawlers/
This may be the vuln he got in with:
http://www.securityfocus.com/archive.../30/0/threaded
I have little to no experience with this type of stuff. What do I do now? I have taken the following steps:
1) I shut down VNC server
2) syslog shows nothing out of the ordinary (besides failed SSH attempts)
3) sudo log shows nothing out of the ordinary
4) netstat -A shows nothing out of the ordinary
5) ps -aux shows nothing out of the ordinary
6) My router shows many attempts to connect to my VNC server, by many different IPs. I have saved this info.
7) My SSHD server is set "deny : ALL" except for 4 IPs I will keep secret.
8) I ran find -mtime and I found this interesting. 8 day ago a file called winnt.exe was placed on a folder on my desktop. I did NOT download this file.
$ sudo find / -mtime 8 -print
/home/sean/Desktop/eek/winnt.exe
/home/sean/.mozilla/firefox/15pcn71n.default/extensions/{DDC359D1-844A-42a7-9AA1-88A850A938A8}/history.xml
/home/sean/.mozilla/firefox/15pcn71n.default/Cache/8E56ECEEd01