ok, done all of this (even written them to a text file for later review). so far, I don't see anything unusual. I have a couple of non-standard (installed myself) servers running here (ircd and opennap) and I know which ports those are on. everything else appears to be as normal (including their port assignmanets). I'vew also verified all packages on the "infected" machine and found no discrepencies that wouldn't be accounted for (some conf files were changed, but those I already know about as I was the one that modified them). everything else checks out. as a safety measure when I first found an intruder on my system some weeks back, I changed all passwords, ran chattr +ui on some specified directories (/bin, /sbin, /usr/bin, /usr/bin/X11R6, /usr/sbin) to make sure the files couldn't be modified without my knowing about it (this at the suggestion of tom perry). I checked the package verification against a log of the last time I did so,. which was 4 weeks ago) and noted only minor changes (mostly in some logs and 1 or 2 conf files that I know about). The kernel on this box does not have modules support (not needed as this is a gateway box for my lan and I only needed certain items (such as the devices on board and iptables) compiled in. this was specifically to prevent the introduction of "hijacked" modules. as it is, I was thinking ahead security wise when I placed this unit online. anything else I should be doing? Technomage On Wednesday 19 June 2002 07:59 am, you wrote: > It's possible that the "lsof" command wasn't trojaned, since most root > kits don't check for it. Try "lsof -ni" and see if there's any difference > between "netstat -lp". If so, copy over a new "ps" and "ls" and "netstat" > from another machine that you know hasn't been compromised (a fresh install > is best, and make sure it's the same arch/distro). If lsof shows an > unusual port, check to see what program is running in the far left column. > Locate that program and run "strings" on it to get more info. This should > get you started. Keep us updated on what you find. > Thanks, > ~M > -- I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered! My life is my own - No. 6