Azt mondják ez csinálta:
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-s…
És ilyeneket módosít:
What I found so far:
SSH was definitely compromised; they replaced the binaries! (The old binaries wound up in /etc/rpm directory.) And sshd_config was replaced with a 0-byte file.
There was a /tmp/mexpl.tgz file that contained exploit code.
/etc/passwd and /etc/group were modified with a new account called "ice".
/etc/cron.daily had a new addition - a file called "dnsquery" that emailed the hacker.
( this was basically similar to the original poster's code - /usr/lib/.popauth was run. )
/root/.ssh/known_hosts was modified with a new entry.
there was a file called /tmp/back which apparently ran perl and executed a shell for the attacker.
/usr/include/gpm2.h was a 0-byte, rwxrwxrwx file.
/usr/lib had the +c0d.init file, as well as a subdirectory with exploit - /usr/lib/named.
klogd1, named.sn, and zum were in there.