Well, I’ve pretty much discovered what was going on with my box being hacked, and I’m fairly happy I’ve cleaned out the ‘infection’.
I run clamscan regularly on my box, even though it’s a Linux box and from what I’ve heard there’s never been a live self-propagating Linux virus, ever (although; isn’t that was this was?); only hacks. In fact, I was planning on stopping the thing from running, but I’m glad I didn’t now.
It told me I was infected with Linux.RST.B-1. I had a Google (naturally) to find out what this was and came across a series of posts from someone else who’d found this hack.
Turns out it’s a brute-force zombie ssh cracking tool which is dumped on unsuspecting boxes and used to crack other boxes. It manifests in /var/tmp as a tarball i.tgz which extracts as /var/tmp/irc owned by the local account that got cracked:
-rw-r--r-- 1 guest nobody 957277 2008-04-23 10:26 i.tgz drwx------ 2 guest nobody 4096 2008-04-28 16:36 irc
In the irc directory, there’s a whole load of stuff, including the rogue ‘ssh’ program I saw running, plus wads of possible username/password combinations. And yes, my guest account was in there! I thought I was being so clever with its password as well :-/ Nomatter, you can’t ssh into my box as guest any more now.
Suffice to say, I’ve deleted that stuff now, as well as locked down the box (even more than it was).
There is an addendum which might be of use: my box has effectively only been upgraded since I first installed an early-ish RedHat OS. As such, there are probably a few oddities hanging about that wouldn’t be there in a modern full install. Other people may have the same thing.
I was verifying the exes in /bin which can apparently sometimes be rootkitted by the above crack, and I got a mismatch with rpm:
> rpm -q --verify rpm....L... /usr/lib/rpm/athlon-linux ....L... /usr/lib/rpm/i386-linux S.5..... /usr/lib/rpm/i386-linux/macros ....L... /usr/lib/rpm/i486-linux ....L... /usr/lib/rpm/i586-linux ....L... /usr/lib/rpm/i686-linux ....L... /usr/lib/rpm/noarch-linux
Well, this was worrying, but upon investigation it transpires that the old RedHat install had used some odd symbolic links to point to the rpm macros file, and these had never been removed, causing some odd overwrites to occur as newer rpms were installed.
> rpm -q --verify rpm > cd /usr/lib/rpm > for sys in athlon i386 i486 i586 i686 noarch; do rm $sys-linux; mv $sys-redhat-linux $sys-linux; done > smart reinstall rpm