The only way to be sure you've removed all backdoors and compromised files is is to disconnect from the net, format all of your drives and reinstall from scratch. Once the system is running, apply any security patches and lock down your box (/etc/hosts.deny = ALL: ALL, /etc/hosts.allow = ALL: localhost, comment out most services in /etc/inetd.conf, disable most of the network daemons that are started in /etc/rc#.d). Finally, copy your data (JUST DATA, no executables) from a backup and reconnect to the network.
Probably sounds like overkill, but when all is said and done, I think you'll feel better -- and it might even take less time than trying to find all the things that have been affected. Chris -- Christopher S. Swingley tel: 907-474-2689 fax: 474-2643 930 Koyukuk Drive, Suite 408C email: [EMAIL PROTECTED] University of Alaska Fairbanks www.frontier.iarc.uaf.edu:8080/ Fairbanks, AK 99775 ~cswingle PGP key: http://www.frontier.iarc.uaf.edu:8080/~cswingle/pubkey.asc
