On Thursday 04 December 2003 08:27 am, PJ Welsh wrote: > On Wed, Dec 03, 2003 at 10:42:40PM -0500, TeleSIP wrote: > > A good rootkit will also modify the date and time of the replaced binaries > > so they will look the same as the original. > > > > Try to replace your "ps" command with that from a trusted RH9 machine. If > > it works ok then you must do a clean install to get rid of the rootkit. > > Using the RPM database for package verification is a good way to check, also (better than date/time stamp). So: > > rpm -V procps > > procps is the package for ps and some other commands, "V" = verify the whole package. This should NOT return ANY error or information. So, if you get something like "S.5....T c /bin/ps" or ANYTHING else for THIS package youv'e got a problem.
I would download and try http://www.chkrootkit.org/ This is pretty much the standard tool to use. There are also good links under 'Related Links' towards the botom of the page. Regards...Martin -- 3rd Law of Computing: Anything that can go wr fortune: Segmentation violation -- Core dumped _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
