Way #8,428 to tell if your server has been hacked: the sshd binary is a 4 meg executable with perms of 777.

Way #8,429: there is an account in /etc/passwd that has a shell of “cd /usr/bin; ftp <ip>”.

Yes, a fun day at work.

2 Comments on “Hacked”

  1. Not really. A server at work, still not sure how they got in (if they got it). Due to the non-working-ness of the sshd binary I’m going to guess they didn’t actually get shell on the box (hell, we couldn’t even get shell on the box without being on the console 🙂