A hacker gained root access to my system apparently via 'lpd'.
The evidence I have that 'lpd' was comprimised are two facts:
some of the original files were created with group 'lp'
the 'rootkit' scripts used by the hacker after gaining
access removed/replaced 'lpd' for no apparent reason.
I have file a report with CERT.
I have a copy of all the 'rootkit' scripts used by the hacker.
Did you update LPRng as suggested by Red Hat's security advisory issued several
months ago? See:
looks like the ramen worm or a variant. Yes, it should have been closed by the