Here are the symptoms... from chkrootkit:
Checking `lkm'... You have 1 process hidden for ps command Warning: Possible LKM Trojan installed And really weird... from the "locate" command... [root /home]# locate crypto /home/susr/doc/python-docs-1.5.2/Doc/libcrypto.tex Now we know this should be: [root /home]# locate crypto /usr/doc/python-docs-1.5.2/Doc/libcrypto.tex and in fact the file is where it's supposed to be. When we first saw this we thought we were lucky; that we'd found the hacker because the slocate update was running at the moment he was hacking, and we started looking at those files... until we realized locate returned something weird like this for EVERY file on the box that didn't already start with /home/s Here's the scenario... We restore the box. It's good. We restore the sites (CMU). Good. The next day it has the symptoms again. Any help/ideas/requests for consulting work <smile> greatfully appreciated. Jeff -- Jeff Lasman <[EMAIL PROTECTED]> Linux and Cobalt/Sun/RaQ Consulting nobaloney.net P. O. Box 52672, Riverside, CA 92517 voice: (909) 778-9980 * fax: (702) 548-9484 _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
