I need help with finding out what's that. Looks like my linuxbox has been compromised (probably weak password on a forgotten test user). I tried to remove the user today (I couldn't) and after some digging I found thed there is a httpd running using some trick [1] to hide itself. The .x directory contains something that looks strange...
I'll post more tomorrow, but looks like one of the parts is file muhnoucompilat.jpg. It's not jpg, it's a tar archive that contains the rogue software.
Mods, is it OK to post it here? I don't want to spread the problem, but I need help with analysing what if that.
This is probably the same file as this one:
http://296832.s.dedikuoti.lt/.x/m/
Looks like the whole thing was set up to keep muh [2] running on something called undernet.
ANY help will be really appreciated!
[1]
https://github.com/creaktive/psf
[2]
http://muh.sourceforge.net/