[Nottingham] Rootkit/break in

[Rob Andrews]

[11-Aug-2003 14:02.07 (BST) / Johannes Kling]
 > However, I was unable to identify exactly what rootkit was used.

Suggest you take a look at chkrootkit. Should be able to identify the
rootkit used.

Both Debian and Redhat have mechanisms for checking the MD5 sums of
binaries, although ultimately the One True Way of getting rid of a rootkit
once and for all is rebuilding the OS. You can't always trust the cracker
enough not to have modified the filesystem at a lower level than modifying
the file attributes.

My two penneth.
n.

-- 
rob 'nine' andrews                 <e> rob@impure.org.uk <pgp> 8bb5c71e
"we're not here because we're free, we're here because we're not free."