user tracking

[Don Harrop]

Ya, I already know about *most* of them.  I'm pretty sure I cleaned it all up though.  He tried again last night and couldn't.  ;-)  Clean up was successful.  Rebuilding the whole box would have been a mojor pain in the ass as well as unwanted down time.  I know it's only a mush (game) server but those are the people that are constantly on and scream during downtime.. :-)

Don

There are also other items in a standard rootkit.

You could spend time checking ls, ps, top, sum, yada
yada yada, against your pristine versions on read-only
installation media (after booting into single-user
mode on pristine read-only trusted media (and ONLY
running binaries from said media)), but IMHO your best
bet after a breach/rootkit incident is to take off and
nuke the site from orbit.  It's the only way to be sure.

I'm sure there's a HOWTO on cleaning up your system
after a rootkit "upgrade."  Check Google.


D