possible LKM rootkit infection

Scott Brewster plug-discuss@lists.plug.phoenix.az.us
Wed, 19 Jun 2002 12:55:09 -0700 (PDT)


--- technomage <technomage-hawke@cox.net> wrote:
> ok,
<snip> 
> as a safety measure when I first found an intruder on my system some weeks 
> back, I changed all passwords, ran chattr +ui on some specified directories 
<snip>

Hmm.... the fact that you had an intruder is not a good sign.  Even though you
changed the passwords, etc, there may have already been someting in place that
passed that info back to the intruder.  Any idea on how long the intruder had
access to your system?  

Personally, I would cut my loses - print (yes print) any config files that you
want to re-implement, wipe the box and re-install from scratch.

Or

if you have the disk to spare, rebuild the system on a new disk.  Once done,
mount up the old disk - dont run anything from it - and give it a thorough
going over - see if you can figure out what was done to compromise the system.

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com