I caught a hacker midway through a break in on my computer.
He somehow gained root access, and replaced some system files
with his own (ls, ps, chsh, netstat, yppoll). Because I cut his
connection midway through, I got the code he was using before
it erased itself (it was called the megalight-rootkit). I will e-mail
a gzipped tar file which includes the /var/messages file which show
his ftp break-in, along with the system files he replaced and the
rootkit directory to firstname.lastname@example.org.
Created attachment 7569 [details]
tgz file contains megalight-rootkit, /var/messages documenting breakin, replaced system files
Known and fixed wu-ftpd problem, it appears.