Ok, this is a strange question...maybe I'm just being paranoid.

A few months ago, I built a cheap machine to serve as a webserver for our department. It's a linux box running Redhat 6.2. Not much is on it except latest vers of Apache, MySQL, PHP, and SSH2. It's only purpose is to serve a small website.

Today I was browsing the processes and noticed a process named "prick" owned by root and located in /bin. I tried running 'prick' and it asked for my login, then password. It seems to be part of the whole login deal because it only accepts valid usernames and passwords. However we never installed anything other than the above mentioned servers and RH 6.2.

So what is prick? Why is it named prick? Am I being paranoid?

Thanks,
Chris

Not sure, but I've seen a group of fonts under the name prick before I believe.

Evil Jeff
www.hellincorporated.com (http://www.hellincorporated.com)

Me too, but I don't think this is a font. http://www.linuxnewbie.org/ubb/wink.gif


Any other ideas?

Originally posted by Evil Jeff:
Not sure, but I've seen a group of fonts under the name prick before I believe.

Evil Jeff
www.hellincorporated.com (http://www.hellincorporated.com)

Try man prick and then search google.com/linux (you might to specify more options, "prick" will get some unrelated pages I think http://www.linuxnewbie.org/ubb/smile.gif

Try "locate prick". Besides the binary there might be some .config file that'll give you a clue.

------------------
We'll get thisright yet!

man prick==obvious
info prick==guy that knows everything
whatis prick==asian teenage hooker's question
locate prick==girls night out
find prick==when a woman gets married

And people say linux isn't fun to learn. http://www.linuxnewbie.org/ubb/smile.gif

hahahahahahah

------------------
Groundzer0......
Please stop me before I format again. (Im a Serial Formater)

Wow....I can't believe I can't find any info on this process. My only conclusion is that it must have been inserted by someone else. I am going to delete the executable, install tripwire.

Thankx

It's a linux box running Redhat 6.2. Not much is on it except latest vers of Apache, MySQL, PHP, and SSH2.

Are they the LATEST versions, or just the versions that came with RH 6.2? I'd highly recommend verifying versions of all installed apps as well as checking security on your kernel, any other running processes.


Today I was browsing the processes and noticed a process named "prick" owned by root and located in /bin. I tried running 'prick' and it asked for my login, then password. It seems to be part of the whole login deal because it only accepts valid usernames and passwords.

This seems very obvious to me; "prick" is probably a trojan login program or the backup of /bin/login when someone switched them. Or it may be a trojan of some other sort, allowing access to the system, saving and emailing passwords, almost anything. I'd seriously recommend shutting down for retooling and install a fresh system with the LATEST versions of everything. Oh, and don't install anything that's not absolutely necessary to the system's purpose.

Stupid cross-posting. An identical question to this was posted to Web Serving/Security.

------------------
- Klamath
Get my GnuPG Key Here (http://klamath.dyndns.org/mykey.asc)
Looking for an open source project to contribute to? Check out the Better Bulletin Board (http://bbb.sourceforge.net)

there'd be less cross posting, if sensei didn't have so damn many overlapping sections.

***Officially closes this post in general forum. Do not help this sad, misguided soul ***