darren chamberlain wrote: > Another alternative is to replace it with something that appears > to do the same thing, but actually logs a ton of stuff from the > requestor.
You can't trust any part of compromised box, right down to the 'ls' command. Once you know someone has been able to run arbitrary commands on your machine, they could have installed ANYTHING. They might have a rootkit, they might have replaced your ssh binary with something that mails passwords to them, they might be using your box as part of a DoS attack on someone else's site, they might be on your box running as root *right now*. You don't even know how they got on the box in the first place. Disconnect it. - Perrin
