On Thu, Jun 06, 2002 at 01:33:30PM -0400, Phillip Hofmeister did this all over the keyboard: > Hi, > > It is possible your rootkit check sent up a false flag. It is also possible > (though unlikely) the attacker rigged the kernel to report any changed > files with the same data they had before, with the same timestamp (this > is a stretch...). If you can afford some down time boot the system > with a rescue disk (clean kernel) and use some clean tools on it... If loadable module support wouldn't be compiled in, it would require to recompile the kernel in order to implement such modifications, wouldn't it? And recompiling the kernel would require to reboot the system, but it wasn't for sure! If only I hadn't compiled the kernel with module support build in, but it was neccessery, sad but true. I can check the kernel/whole system from my backups. But to me it seems that chkrootkit likely did trigger something wrong, although I can't bet on it. Thank you very much for every hint. Willi -- _ / \ / \ ASCII Ribbon Campain \ / against HTML in \ / eMail & news X / \
Attachment:
pgparEnjr7IVO.pgp
Description: PGP signature