[clug] mc-root anyone?

Michael Still mikal at stillhq.com
Thu Jun 18 04:34:17 GMT 2009


Hi.

I just hd my ISP inform me that my machines were sending suspicious
traffic (yes, my ISP is really that cool), and I quickly found an
account with a poor password. The home directory for that account has a
directory named " ", which contained another directory called mc-root.
The contents there seem to be some sort of IRC controller, an update
system, and a ssh scanner. The updates and scanner are controlled out of
a cron job.

Now, I've deleted the compromised account, moved its home directory to
one side, and disabled the cron job. tcpdump confirms no more ssh
scanning coming from the machine. I'm also using update-manager to
upgrade to the lastest Ubuntu, which will hopefully replace all the
system files just in case one of them is owned in some other manner.

Two questions:

 - is there anything else I should do to this machine?
 - does anyone else know what this thing is? Bing searching doesn't turn
much up.

Finally, everyone else might enjoy running:

  find / -type f -name mc-root -print

Cheers,
Mikal


More information about the linux mailing list