Symantec has released here information about a new kind of Linux backdoor found on broken-in Linux servers.

The most interesting point is the use of injecting data in normal SSH traffic for communication, without opening new network ports nor adding new daemons to the process list.

It would be interesting to learn more about it.