Originally Posted by SplitInfinity

Ok UPDATES.....

I have been in several boxes around the world that this guy is in...
It seems this it not a NATS specific hack, but this hacker is targeting
nats systems that use epassporte since thats the only ones he can
steal money from.

He is using some mysql injection exploit to find nats databases.

You should check your servers for the following:

Directories that should not be there... if they are, contact me...
/dev/k4rd
/dev/k4rd/proc.k4rd

In your /lib directory, this will surely tell you your system has been rooted:

[root@mail ~]# cd /lib
[root@mail lib]# grep k4rd *
Binary file libutil-2.3.3.so matches
Binary file libutil-2.3.4.so matches
Binary file libutil-2.3.5.so matches


All three of those files are kernel libs that totally give the guy control
of your system. In our case, were owning him right now...... lol

Note to all: Nats has been VERY helpful in the situation.
they have heard of this same person before, he is apparantly in australia.

I want to say that anyone using NATS is in good hands, these guys are all
talking to me as I uncover all of this so they can jump on whatever they need to jump on to get things fixed (if they need to advise people to upgrade mysql for example or whatever)