Hi folks, some of my servers where hacked the day before... i found some strange processes and some binaries changed and would like to know what hack or possible worm this is and what to do against - update which daemon/package ? files changed or created: -rwxr-xr-x 1 root root 60296 Dez 20 20:37 /bin/netstat -r-xr-xr-x 1 root root 32756 Dez 20 20:37 /bin/ps -rw------- 1 root root 512 Dez 20 21:37 /bin/.s -rw------- 1 root root 526 Dez 20 20:37 /bin/hk -rw------- 1 root root 512 Dez 20 20:37 /bin/s -rw-r--r-- 1 root root 673 Dez 20 20:37 /bin/sc -rw-r--r-- 1 root root 880 Dez 20 20:37 /bin/ssc -rwxr-xr-x 1 root root 207272 Dez 20 15:44 /usr/bin/afb -rwxr-xr-x 1 root root 111 Dez 20 20:37 /usr/bin/hdp -rwxr-xr-x 1 root root 5008 Dez 20 20:37 /usr/bin/sn i found some scripts here: ./usr/src/wsx ./usr/src/wsx/flood ./usr/src/wsx/mass-scan ./usr/src/wsx/parser ./usr/src/wsx/cleaner ./usr/src/wsx/sz ./usr/src/wsx/tcp.log i found this process: 30056 ? S 0:01 /usr/bin/./afb -f /bin/sc -q -p 55001 -h /bin/hk my maschine is still running at Suse 6.2 since its a production machine some hundred kilometers away from me, so i cant just drive there making an update before Jannuary... so i apreciate any info to stabilize it until then... hope you can help me... thx in advance Walter Raboch