On Fri, 2 Jan 2004, Daniel McAferty wrote:

> I downloaded the chkrootkit program you suggested earlier,
> and it looks like I may have some problems with infected
> files and "possible rootkits" installed.
...
> Now what do I do to fix or verify?

Try verifying with "rpm -V" that I suggested in earlier email. (Hopefully,
your rpm is not compromised too.)

I'd suggest you take your system off the network. You may want to run
your own safe (installed to yoru homr directory or from a CD for
example) tcpdump and netstat first and record some information on who is
abusing you.

You may want to simply unplug the box. Don't use halt or shutdown because
they may be compromised too.

Have a look at:

http://www.cert.org/tech_tips/root_compromise.html

http://secinf.net/unix_security/Linux_Security_HOWTO/Linux_Security_HOWTO__What_To_Do_During_and_After_a_Breakin.html

http://www.linuxsecurity.com/docs/harden-doc/html/securing-debian-howto/ch-after-compromise.en.html

   Jeremy C. Reed
   http://bsd.reedmedia.net/