Hi Robson,
> I runned rootkit and i got:
> Searching for t0rn's default files and dirs... Possible t0rn rootkit
> installed
> What do i do to remove?
Now that's hard to give do-it-yourself instructions on, as T0rn comes in
different manifestations and who knows what else unwanted visitors did to
your box. The safe way to go is to do an OS restore and to start over. Or to
ask for professional help to clean the box out.
I've got quite some experience with removing T0rn. So far I pulled it from
six or seven owned RaQ's and one RH 6.2 server. It's possible to do this
without OS restore and it usually takes between 60 and 90 minutes. This
includes reinstalling system binaries from RPM's which T0rn replaces, as well
as checking start-scripts, file- and user-permissions, open sockets and
suspicious files.
After that you got a restored system, with all the latest patches, with
Logwatch, Portsentry and IPchains installed.
--
Mit freundlichen Gr��en / Best regards
Michael Stauber
�Stauber Multimedia Design ____ Phone: �+49-6471-923812
�Hauptstrasse 31 ______ �D-56244 Goddert ______ Germany
�SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
