I have not started the forensics on this box. Pulled it offline and left it running until I can get to it.
You left it "running" ?
If you leave your system running you can examine the content that is loaded in memory.
I suspect, but cannot confirm, that it was via SSHv1 that I inadvertantly left enabled in webmin.
SuSE want the HD image?
I doubt it...it's not SuSE`s fault anyway :)
No doubt about that, but maybe they want to play around with it?
That's the point - if it is a configuration issue, they there's nothing that we can do about it as SUSE. If there is some exploit that has been using a vulnerability that we are not aware of, then it's something different.
I'd ask your local honeynet project, I bet they'll be interessted in it.
marc
Thanks,
Roman.
--
- -
| Roman Drahtmüller