RH6 boxes cracked

["D. Scott Barninger" <barninger () CVN NET>]

Hello,

I am still trying to determine all that has been done but here is what I
know at the moment. If anyone has seen similar attacks please let me
know what to look for. For starters there appears to be a trojanized su
binary installed. When calling su there is a delay of approximately 6-8
seconds after entering the root password before a shell prompt is
returned. A log message indicates that "call_pam_xauth" successfully
forked a child (returned 1). At that point a check on the /dev directory
shows most everything has altered user/group and/or permissions. The tty
from which the su command was issued is now owned by my user rather than
root as well as /dev/hdb. /dev/tty* is now writeable by group etc.
Reinstalling the dev and sh-utils packages corrects things until the
next time su is run. The same is true on 2 other boxes from which I
typically rlogin over the internal network (primary box is a MASQ
gateway). About 2 days prior to discovering this I got port-scanned and
logged rejected packets on a netbios port (I did have netbios service
exposed for remote connections).

Any insights would be greatly appreciated.

Scott