Analyse of mass2.tgz

tar tvzf mass2.tgz
drwxr-xr-x admist/admist     0 2003-01-08 15:20:35 mass2/
-rwxrwxr-x admist/admist 35666 2003-01-08 15:20:00 mass2/mass
-rw-r--r-- admist/admist    69 2002-10-01 11:04:26 mass2/Makefile
-rw-rw-r-- admist/admist 15952 2002-10-01 12:12:23 mass2/mass.c
-rwxrwxr-x admist/admist 28087 2003-01-08 15:20:00 mass2/vuln
-rw-rw-r-- admist/admist  5609 2002-10-01 11:23:24 mass2/vuln.c
-rwxr-xr-x root/root     23039 2003-01-08 15:09:18 mass2/osslmass2
-rwxr-xr-x root/root    149595 2003-01-08 15:20:00 mass2/openssl-too
-rw-r--r-- root/root         1 2003-01-08 15:20:35 mass2/mass.log
-rw-r--r-- root/root     25265 2002-11-24 03:08:17 mass2/mass.pid
VirusFile
ELF_RST.B mass2/mass
ELF_RST.B mass2/vuln
ELF_RST.B mass2/osslmass2
ELF_RST.B mass2/openssl-too

mass2/mass

[kmaster@christophe mass2]$ strings mass
...
mass.log
: Mass scanner - by Phill
: This is an SSL IP scanner that can be placed into background
: it keeps logs of each ip found, and the apache/*nix version

mass2/vuln

[kmaster@christophe mass2]$ strings vuln ... : vuln.c - by Phill : vuln analizes a `mass.log' and displays the vulnerable IPs : and the server version

mass2/Makefile, mass2/mass.c, mass2/vuln.c

Source code of the two previous tools

mass2/osslmass2

[kmaster@christophe mass2]$ strings osslmass2
...
[01;31;31m: osslmass2.c - by Inkubus
[00m,
[00;34;35mthe credits goes to Solar Eclipse and Phill
[00m
[00;34;32m: osslmass2 tries to exploit a `mass.log' and attacks vulnerable IPs

mass2/openssl-too

[kmaster@christophe mass2]$ strings openssl-too
...
: openssl-too-open : OpenSSL remote exploit
  by Solar Eclipse <solareclipse@phreedom.org>

The server may have been hacked using this exploit.