> I have discovered that my server has been compromised. Welcome to the happy club comprising... everybody who's ever managed a server :D
> I believe it's > some sort of rootkit. You should also hunt for the way IN, otherwise you will never shut out the attacker. The rootkit is a way to REMAIN in, not a way to get entry. > It has managed to circumvent both rkhunter and > tripwire. Cool. How are you running tripwire, exactly ? Is the list of hashes on the same box that was compromised ? If so, I believe I can see why your tripwire didn't work :D Also, if the rootkit is loaded in kernel space, tripwire will be silent. > anyone know how I might detect/remove such rootkit? I hate to have to > reload OS/tripwire/rkhunter/reload permissions... start over. Sorry, you have to. There's no other safe way to get that box clean. Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
