On Tue, Nov 29, 2005 at 04:34:11AM +0000, kevin bailey wrote: > hi, > > the following output looks like i've been rooted. Yes, it doesn't look like a false positive: > Checking `ls'... INFECTED > Checking `netstat'... INFECTED > Checking `ps'... INFECTED > Checking `top'... INFECTED Nasty. > Searching for suspicious files and dirs, it may take a while... > /usr/lib/zope/lib/python/Products/DCWorkflow/.Xserver-lcd > /usr/lib/zope/lib/python/Products/ZnolkSQLWizard/.selectColumns.dtml.swo > /usr/lib/zope/lib/python/Products/ZnolkSQLWizard/.selectColumns.dtml.swp > /usr/lib/zope/lib/python/SearchIndex/.testinfo Those might be FP. > /usr/lib/nmh/include/lib/.sniffer This one looks nasty. > Searching for anomalies in shell history files... Warning: > `//root/.bash_history' file size is zero Nasty. > Checking `lkm'... You have 107 process hidden for readdir command > You have 113 process hidden for ps command Nasty. > Checking `sniffer'... eth0 is PROMISC You have several processes hidden and what looks like sniffer logs so be careful. Your passwords might be compromised either through a trojaned ssh client if you are using ssh or through the sniffer if you are using clear-text passwords. Sorry, Javierthrough the sniffer if you are using clear-text passwords.
Attachment:
signature.asc
Description: Digital signature