I guess I didn\'t run rkhunter with the server running. I became aware of the attack because outbound ssh kept dying and chkrootkit warned me /bin/f had eth0 opened in promiscuous mode.
Running strings on /bin/f, I found out it also has /bin/i as part of its attack. It looks like neither binary has been stripped, so maybe gdb can be attached or the programs cleanly decompiled and the functionality figured out. I\'ve left that partition untouched since I shut it down, but obviously I no longer boot to it. /bin/i appears to contain a dictionary file for attempting to attack other servers. /bin/f appears create some text files full of data and perform some operation on them (upload them?):
/bin/cp /usr/sbin/t.txt unsort.txt && sort -u unsort.txt > /usr/sbin/t.txt && /bin/rm unsort.txt
The only referenced file on my system other than /bin/i I found was /usr/sbin/t.txt, and that was 0-bytes.
debsums -a showed my /etc/crontab had been modified, and I found where the script was executing from:
* * * * * root f Opyum Team
I have the two files, but they're too big to attach. I assume you would need copies to be able to detect them in the future, so let me know where to upload or send them. /bin/i is 865K, and /bin/f is 2.4M