Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > I ran a chkrootkit program on my system and got some very disturbing > messages. I'm not sure if my system is really infected though. Nealry two > years ago I had a hard disk malfucntion which caused some files to be > corrupted so this might be setting off some alarms. Any suggestions on > what I should do? > > Disturbing messages: > > Checking `ps'... INFECTED > Checking `tcpd'... INFECTED > Checking `top'... INFECTED > Checking `bindshell'... INFECTED (PORTS: 31336) > Checking `rexedcs'... INFECTED > > What are "bindshell" and "/usr/sbin/in.rexedcs" anyway? > > I'm downloading procps now to replace my ps and top. How do I fix tcpd?
By reinstalling your entire system from original media -- assuming it's really security-compromised. You should consider checking the size of, say, /usr/bin/login and other key system binaries (ps, top, ls, netstat...) against master copies on your installation media. (To be truly thorough, you'd check md5sums. RPM will do this, but the check is of doubtful utility unless you keep a copy of the RPM database off-system, away from the bad guys.) If you see differences, then back up all non-program files (user data), make a tarball of /etc for later reference, blow away the entire system, reinstall, and issue all new passwords to your users. (You'll have to notify them in person or via telephone.) Once a system has become compromised, you can't trust any binaries on it, nor the configuration files in /etc, nor any of the users' dotfiles. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
