> -----Original Message----- > From: Anthony Campbell [mailto:[EMAIL PROTECTED] > Sent: 23 March 2004 08:53 > > > Download a known good (recent) copy of chkrootkit to the > box, run it and see > > if it gives you anything. > > > > I'd strongly recommend isolating the box from the net until > your _sure_ your > > not rooted. > > > > > > > > Mark. > > > > > > Things seem to be getting worse. I originally discovered the problem > because a routine upgrade of procps failed because it could not make a > link to /bin/ps. I eventually found that it was due to the "i" flag on > that file. I removed the flag and it then worked. However, > last night I > found that the flag had returned. I removed it again. > > Today, I found that upgrading procps failed again, this time > because it > was unable to create /bin/kill. But /bin/kill does not have > the "i" flag > set. So it definitely seems that something strange is happening. > > AC
1. Disconnect the box from the network. 2. No, really, disconnect the box from the network. 3. Get a copy of this: http://www.chkrootkit.org/ 4. Build it on a known clean box 5. Copy the binaries to your hacked box 6. run them and see what they say. 7. Reinstall your hacked box. Don't bother trying to repair it you can _never_ be sure you got it all. Mark. Salamis Group of Companies - WWW.SALAMISGROUP.COM This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) be advised that any form of distribution, copying or use of this communication or the information it contains is strictly prohibited and may be unlawful. We apologise if you have received this communication in error. Please return it to the sender immediately, delete this communication from your computer and destroy any copies of it. Any views/opinions expressed in this email are that of the author and may not reflect the views of Salamis (M&I)Ltd. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
