“About 9 months ago I started doing security consulting work for
my ISP. In exchange for free internet access, I would look over
their machines and check for security flaws, cracked accounts, etc.
They had a pretty typical setup for an ISP. The webservers were
running Red Hat and Apache, the email server was an NT machine
running Imail and their two DNS servers were running Red Hat and
OpenBSD.”
“The first machine I had access to was a webserver/production
machine running Red Hat 5.0. The machine was used to write CGI
programs for their clients and to test the programs out.”
“When I first got on the machine, everything looked normal
except for the logs. For some reason, utmp and wtmp looked like
they had been corrupted. Whenever I would issue a ‘who’ or ‘last’
command, I would get garbage back. I suspected a trojan program,
especially after the files were zeroed and the output from the
programs was still corrupted.“