On Sun, Sep 14, 2003 at 10:47:50AM -0500, Mike Burger wrote:
> I'll check out Axel's RPMs. If they're created against Red Hat's sources,
> I'll probably be happy.
>
> Luckily for me, I have H+BEDV's AntiVir scanning my system, each night,
> and it detects this type of thing, so I don't think the thing actually got
> installed to where it can do any damage...but I want to be as safe as
> possible.
oh please. if there are peices of rootkit on your box then whether
they installed it or not is IRRELEVANT, your box was compromised,
period.
you cannot know what they did or did not do, your only responsible
recourse is a complete mkfs of all filesystems (i would dd the entire
disk with zeros) and a reinstall, then to audit your latest backup of
user data (do NOT restore ANY binaries).
they could have installed a kernel module which will alter the
behavior of arbitrary tools WITHOUT replacing any binary on your
system, which means tripwire and the most expensive `antivirus'
software will NOT be able to help you. don't think that such a module
will show up in lsmod output either, or that its file is visible to
you on the filesystem.
your box has been compromised, you need to rebuild it.
--
Ethan Benson
http://www.alaska.net/~erbenson/
pgpFQ5KqyT8Vs.pgp
Description: PGP signature
|