At the risk of prolonging the speculation:
On Saturday 26 February 2005 11:16 am, Don Erickson wrote:
Okay. If I am reading the info correctly, 2.4.20-37.7.legacy was compiled in Sept 2004, before the uselib() root kernel hole was discovered in January, 2005. http://www.isec.pl/vulnerabilites/isec-0021-uselib.txt.
There was also an awstats exploit patched on Feb 16 or so, that allowed remote execution of commands by the apache-owner, "nobody" on Redhat, I believe.
Clearly, there was some vulnerability, and I agree that those are two very likely candidates. Of course, most vulnerabilities are at most potential DoS potenitals in that someone can, at most, crash the system. A true back-door vulnerability is rarer, and I will continue looking for possibilities.
Now, it may be presumptuous of me to assume your box has been rooted...
While it's clear somebody took advantage of a vulnerability to install a trojan, I think that "rooted" implies a lot more to you than what actually happened to this system.
I did ask you what user had installed the backdoor that you're asking about, but didn't receive an answer.
That's because I don't have one. The only thing that was "installed" appears to have been a running process (rootedoor), and when I killed it with a reboot it doesn't appear to have left any traces.
We'll probably never know what happened to the system the day it was "cleared". I have good reason to believe that except for vulnerabilities, the restored image was uncompromised, and through exhaustive examination I belive that the system is currently uncompromised. Thirty-six hours of running with no suspicious behavior confirm this.
I've seen compromised systems, I've wiped systems where I felt there was a possibility that I couldn't trust them. I have checked all of the specific items you suggested, and I don't feel there's any need to panic and wipe the thing.
If you can think of other items to check, I really do appreciate that, I'll check and let you know.