what is this ?

[Roberto <cinini () TERRA ES>]

Hola lista,
my linux server running redhat 6.2 was made behind 
compromised few month ago(statd i think).. I was 
only notified recently because there was some 
scanning going on from there.  

here is info.. 

dir : /lib/ldsyst.so = 
tkprs    tksnf    tksb  system

dir : /dev/tlpm =
234345 (which have my root password) 

dir : /lib/ldlip.tk = 
shdcf     shhk      shhk.pub  shrs

there is ssh processing listening on port 47016 and is 
behind ssh 1.2.26.. it was hidden as /usr/sbin/lpdq.

i have checked this files with strings name | grep / 
and have found nothing.. 

dir  find  in.fingerd  ls  netstat  pstree   syslogd  
ifconfig  login   lsof  passwd  top  su   locate 


i run chkrootkit from packetstorm and this is only 
strange thing it give me ...

Checking `ifconfig'...INFECTED

Checking `sniffer'...
eth0 is PROMISC
eth1 is not promisc

Checking `lkm'...You have     5 process hidden for ps 
command Warning: Possible LKM Trojan instaled

any idea ?


Mucho Gracias,
--- Roberto