two machines hack through rpc.statd

[Vegard Svanberg <vegard () SVANBERG NO>]

Hi.

I admin two servers who was recently hacked.  They were just installed
with RH7 and really not important (and not in production) so there was
no big deal.  However, that is not an excuse for hacking them, so I'd
like to report this guy to his local police so they could lock him up in
jail where he belongs.

I'd also like to get in touch with other people who've had similar
breakins from this guy.  This is _some_ of the info I have on what he
did:

1.  Exploited rpc.statd
2.  Fetched a package (secure.tar.gz) containing some scripts to clear
    the logs and a couple of RPMs to fix a couple of security holes.
3.  Patched rpc.statd.
4.  Configured inetd to run /bin/sh at port 666.  He firewalled the
    port.
5.  Ran a script ("g.sh" also known as "gh0st.sh") to wipe the logs.

He added user "r3wt" and "gid" to /etc/passwd and /etc/shadow with uid 0
and no password.  He also added an account "Vogz" which I believe is his
nickname.

Here's the hostnames/IP addresses he came from:

Vogz[9590]: LOGIN ON pts/2 BY Vogz FROM cx589008-a.vista1.sdca.home.com
xinetd[8755]: START: reg pid=9614 from=63.198.203.190

In addition, I am wondering how I should handle this further, and IF
I should..  I am currently located in Europe while he is probably in the
US or something, hacking from a rooted *DSL-machine..  Any tips and
recommendations is appreciated.

Regards,
--
Vegard Svanberg <vegard () svanberg no>