Hi,
I found a normal file in /dev: "h" on one of my servers: It contains the following text between binary code: Invalid partition table^@No operating system^@Error loading operating system
This should not be there. It might be part of a rootkit hooking before kernel-loading.
The server has an open ssh-port, available from internet via dyndns.org. Using DSL with t-online.de.
Not only available from dyndns.org. You can connect the IP always from everywhere. The portscan could be faked, the packet log may be misleading. 1. Remove the file, better move it to another location. 2. Reboot. If the system does not start -> it was hacked, this file was an active chainloader 3. load chkrootkit, do a make sense, check the system. If possible use /bin from CD or another machine (NFS, Samba, whatever). 4. If you find anything confirmed (an identified rootkit), shutdown, reinstall after formatting OR (the dangerous way) 5. Install another machine with same distribution, same patchlevel, and tripwire the disk against it. Replace changed files manually. This may result in a unusuable system, or you miss some infected files. Ciao, Dieter