Possible Rootkit - .std folder in /tmp

Hello,

I just did my daily check of /tmp and noticed a new folder. It was named '.std' . Inside the folder where .c files and what looked like a file named 'nc1' that was not executable.

I also noticed that the passwd file was in that folder, and when going in it, it was a copy of the /etc/passwd .

I have already made /tmp noexec and all, and have set it so only root can run the compiler.

Running chkrootkit lists all not detected.

I dont know what to make of this, it looks like in some ways they were successful and unsuccessful in others.

Can anyone advise on how to determine how this got there and how they were able to grab the passwd file? I give shell access out to only a few that need it.

Thanks,
Dan

 

 

 

 

Top