Re: Rootkit warning! (Was: Re: LS_COLORS error)

[Nicos Gollan <gtdev@spearhead.de>]

On Friday 06 June 2003 05:44, Neilen wrote:
> Sure enough, this seems to be the case.  I also had a problem where
> procps would not install due to "permission denied". Chattr showed why
> ;)
>
> Guess its reinstall time.  You think it would be safe to keep my /home/*
> for the new install?

Well, that depends on how much you'd trust the system when you just removed 
the kit. I _think_ I got rid of it by deleting the files mentioned in the 
small "analysis", and the machine at least seems to behave normal since then. 
Just make sure you aren't running any trojaned ssh daemon, login or anything 
that's allow remote login. You can see that by running clean versions of ps, 
netstat et al. off a clean floppy. You'll also need clean versions of find 
and ls, then it's easy. On my system, all the files had UID/GID 500, so they 
were easy to spot.

Keeping the home directories should be safe as long as you don't keep any code 
in there that might have been trojaned, which is improbable since you've been 
likely been hacked by a script kiddie that wanted your machine as a zombie 
for a DDoS or something.

-- 
Got Backup?