xsf/xchk

[Vladimir Ivaschenko <hazard () francoudi com>]

Hi,

Today a RedHat 7.1 Linux machine of my friend was compromised.  
I have just started investigating, so I don't have any 
information of how it was done. After attack login via console 
stopped working.

I have found the following files in /usr/bin: xchk and xsf. They
are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon
sitting on port 14859. I don't know what is the purpose of xchk.
killall and ps were also replaced by programs which hide xsf and
xchk.

Does anyone saw something similar before and can point me to some 
information? I tried searching for xsf / xchk in Google and 
didn't have any results.

-- 
Best Regards
Vladimir Ivaschenko
Certified Linux Engineer (RHCE)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com