Hello, thanks for replies.
I found out that my system is compromised when i run netstat -a and saw some suspicious open ports, one of them was opened by renamed ssh server (i wrote a simple program which listens on that port now and logs IP trying to connect). Then i used chkrootkit and the output is:
Searching for Suckit rootkit ... Warning: /sbin/init INFECTED
[root@kasia chkrootkit-0.43]# ls -li /sbin/*init*
6527 -rwxr-xr-x 1 root root 27036 maj 22 01:38 /sbin/init
978 -rwxr-xr-x 1 root root 32732 mar 13 2003 /sbin/initlog
588 -r-xr-xr-x 1 root root 12588 lut 20 2003 /sbin/lvmcreate_initrd
913 -rwxr-xr-x 1 root root 14737 lut 18 2003 /sbin/mkinitrd
1001 -r-xr-xr-x 1 root root 4831 sty 25 2003 /sbin/pcinitrd
2413 -rwxr-xr-x 1 root root 16416 lut 25 2003 /sbin/stinit
6527 -rwxr-xr-x 1 root root 27036 maj 22 01:38 /sbin/telinit
[root@kasia chkrootkit-0.43]# ./chkproc -v
PID 17: not in readdir output
PID 17: not in ps output
PID 2959: not in ps output
PID 3089: not in ps output
You have 1 process hidden for readdir command
You have 3 process hidden for ps command
[root@kasia 17]# cat /proc/17/cmdline
initauto
[root@kasia 17]# cat /proc/17/environ
HOME=/TERM=linuxBOOT_IMAGE=linuxBOOT_FILE=/boot/vmlinuz-2.4.20-8
I dig with google and found
http://www.lugod.org/mailinglists/ar.../msg00102.html and there
[...]
> Oops, looks like someone *already* "0wn3d" the box....
>
> $ cat /proc/14/cmdline
> initauto
>
> $ ls -al /sbin/init /sbin/telinit
> - -rwxr-xr-x 1 root root 26920 Apr 19 2002 /sbin/init
> - -rwxr-xr-x 1 root root 26920 Apr 19 2002 /sbin/telinit
>
> This is a sign that the SucKit rootkit was installed
But no word about how to remove this sh*t.
Anybody know how to do it? /sbin/init u doesnt work