* * * * *
                                        
                        Not that bad, as these things go
                                        
Well, the server was hacked [1], but it looks to be a customer account was
compromised, since the executables where owned by a customer account, the
processes were running on unpriviledged ports, and the server was being used
as part of denial of service attacks, with executables hidden under a hidden
directory in /var/tmp.

Fortunately, the system hacked is running Linux without module support, so
patching system calls [2] to hide activity is impossible without a reboot
(which would be noticed).

And as always, it could have been worse [3].

[1] gopher://gopher.conman.org/0Phlog:2006/01/16.3
[2] http://lib.ru/SECURITY/linux_module_heroin.txt
[3] gopher://gopher.conman.org/0Phlog:2004/09/19.1

Email Sean Conner at sean@conman.org

.