Yeah, i know, it can't happen in Linux. But it has been happening to\nour work servers for several months.\n\nDue to poor security practices of the past catching up to us, three of\nour servers (www,mail, and internal business software) got hacked\ninto, and now there's some bug installed that monitors and logs ssh\nlogins. It writes login information to /etc/host.\n\nThe www and mail servers are running FC6 and Cent4.4, respectively,\nand the other is running Slack 10. Suggesting a different distro for\nthe Slackware box isn't an option at this point. The software that\nruns on it is 20+ years old and barely runs even on that OS. The\nothers seem to work fine aside from the password logger and any other,\nmore subtle infections present.\n\ni've been looking around, and can't find any references to "/etc/\nhost" (most links refer to the valid "/etc/hosts" or "host.conf" or\n"host.allow/deny" ... Does anyone have any info on this type of\nlogger? It's clear enough that whoever is doing this is managing to\ncatch other credentials beyond just the ssh sessions, and the worst\nactual damage we've seen has been creating phishing pages. We're\ntrying to beef up security, but now it's an even steeper uphill battle\nwith the enemy already inside.\n\nAny help or info on this type of attack would be appreciated.\n-joe t.