lsof t0rn problem

[Earnest <earnest () photoasp net>]

Hello All,

This morning I had some problems on the server, so I started to
investigate and found out that libncurses.so.4 was missing... I
recently upgraded mysql from 3.53 to 4.0.13 but that was it!

Okay, I did ln -s libncurses.so.5.2 libncurses.so.4

This quick fix resolved some problems. Then I ran chkrootkit and found
out that some of the files are (might be) infected with t0rn... Which
might be no problem, because chkrootkit checks libncurses as far as I
know.

To make sure, I ran lsof, and no was no output at all. ls -la
/usr/sbin/lsof told me that a different user (other than root) owned
lsof... I downloaded a clean version of lsof, compiled, ran but the
output seemed usual, no suspicious files or ports.

Besides, the /usr/sbin/lsof had a "sia" set of attributes (which did
not allow root to unlink the file of top of that)... I changed that,
and replaced the suspicious binary with a freshly compiled one.

The question is: is it a hacker attack? or some buggy software??
(mysql?)

has anyone come across weird things like this?

regards Earnest



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------