Eduardo Bach wrote:
> Hello to all,
> 
> One of our servers was invaded. We just started the investigations, but 
> the main clue, plus some strange files copied and deleted, is that sshd 
> binary has changed. Its original size was ~313KB and moved to 1.18Mb. 
> His version was 3.9p1-11.e4_7. As we at the beginning of investigations, 
> I wonder if anyone had similar problem, or have any clue on how the 
> intruder may have entered?
> Thanks in advance.
> 
> Eduardo Bach

Hi,
I'm not the best investigator of breakin's, so I am probubly not going to have 
an answer, but with the information you gave us, it could be anything.  It 
could be someone got a password from somewhere, to apache running as root.

So here is a couple of questions that might help get started.

What version of linux was it running? If not linux, what OS was it running?

What services did it have?  Was it a web server, a database server, a desktop?

How many users had access to the machine?  Was it a server with only one user, 
or a general login machine?

How could people login?  ssh only?  telnet? rsh?

Did your average person have physical access to the machine?

Answers to those questions help track things down.
Another thing most people do is take a snapshot of the disk, so your 
investigation doesn't mess up the evidence.
Troy
-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________