Help with virus/hackers

From: joe briggs (
Date: Thu Apr 17 2003 - 09:15:13 EST

Please redirect me if this is not the appropriate place for this post.

I have several Debian/Woody/2.4.19 webserver/firewalls at various locations
that seem to have been hacked or victum of a worm or virus. It is hard to
articulate exactly the symptoms since it quickly brings the system down, but
here is what I know so far:

1) There is no more output to /var/log/syslog. The contents of the file is
2) 'last' works, but with no unexpected ftp or telnet logins.
3) Windows systems on the inside seem to have been infected with the
W23.HLLW.ULTIMAX worm that propagates through Windows networking. Samba was
indeed running on the servers.
4) If I telnet into the server and 'ls', I get:
ls: uncrecognized prefix: do
ls: unparsable value for LS_COLORS environment variable

But I can su to root.

5) On some systems I rebooted and got the console errors "can't open
/etc/console/boottime.kmap.gz", and it can't seem to mount the the filesystem
and complete the boot.

The first machine went down last Friday in San Antonio TX last Friday. Then
within a few hours two more went down that was on the same DSL providers's
network. Today I experienced the problem on a server in Manchester NH.

Can anyone offer any advice or insight?

Joe Briggs
Briggs Media Systems
105 Burnsen Ave.
Manchester NH 01304 USA
TEL/FAX 603-232-3115 MOBILE 603-493-2386
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Wed Apr 23 2003 - 22:00:21 EST