> which isnt backdoored. Only problem with this is, once it is on your > potentially infected box, its output can no longer be trusted, as one of > those 69 processes could maim the output of your new ps, not to mention how > easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to do.
Very true. As such, your best bet, if you're up for it, is to get a bootable Linux CD (I prefer Knoppix myself), boot off of that, mount your harddrive in readonly (ro) mode and compare the binary signatures (MD5s) of your executables (esp. common ones like ps and ls) to their published values. If you have a rpm based system like RedHat you can get this information from the rpm used to install the command, like this: $ rpm -qp --dump fileutils-4.1.11-5mdk.rpm | grep '/bin/ls' /bin/ls 69708 1030538378 c133e0cf49bce7a65dd3e9d80eb190b2 0100755 root root 0 0 0 X $ md5sum /bin/ls c133e0cf49bce7a65dd3e9d80eb190b2 /bin/ls See how the 4th field there matches the output of md5sum? That's what you want to see. If you don't see that, you've got problems. (Note that this is from my live system -- if you've booted from CD and have your hard drive mounted as /hd, you'll want to test /hd/bin/ls and compare that to the rpm md5 for /bin/ls .) I imagine that there are some good guides on the web to doing this sort of forensic analysis, so do a little searching. In the end, the best thing you can probably do is get your data off the system, figure out how they got in, then wipe the system, reinstall, and patch your system so it doesn't happen again. :-( Good luck! Terry import standard.disclaimer;
