Unless you have tripwire or some other signature records of the binaries and all conf's for the system, you are best off to wipe and reinstall this system from scratch. Even if you *do* have tripwire and md5 hashes of all files on the system, you most likely will find it quicker yo wipe and reinstall the system from scratch. With the added step in all reinstall cases of this type, to patch the holes that allowed toe comepromise to take place *prior* in reconnecting tot eh dangerous env from whence it was compromised.
Thanks, Ron DuFresne On Sun, 21 Dec 2003, Chris wrote: > Can anyone reccomend some links or useful information for removing the > "ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat 8.0 server > owned by a client of mine. > > "Searching for ShKit rootkit default files and dirs... Possible ShKit > rootkit installed" <== chkrootkit output > > I have only read limited information on this rootkit from a honeypot > report where it was used, no cleaning information. Ive googled a bunch > of times, dont go out of your way to answer this, the box will be redone > anyway. Im just curious to find out what this rootkit is about, not even > packetstorm has a copy to look at :) > > Thanks, > > ChrisR- > http://www.cr-secure.net > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
