"John (EBo) David" <ebo@leml.la.asu.edu> wrote:

> George Toft wrote:
> >
> > Hi John,
> >
> > Post a ps and let the group dissect it.
>
> Ok... See appended:

 Output of ps won't mean much if a rootkit has already been installed
(search on rootkits - i.e.
http://linux.oreillynet.com/pub/a/linux/2001/12/14/rootkit.html)

Ideally, you'd have tools running up front to detect unauthorized changes.
There are tools though (i.e. chkrootkit - http://www.chkrootkit.org/) to
look for signs of compromise even after the fact.

Running something like aide or tripwire against critical files is a good
detection measure, but it needs to be set up up front.

- Bob