Sorry for the self reply - but I forgot something. ALWAYS find out how they got in BEFORE you stop processes, wipe the system, and restore your backup. You'll just get compromised again. Use lsof, and /proc/<pid of offending process>/env to look for clues regarding how they got in. You can also try sending rootkit daemons SIGSTOP to freeze the process while you examine it.
Don't wipe until you know for sure how they got in, or until you just can't take the risk of leaving it up any more. Often rootkits will delete their files, so when you kill the process the link count goes to zero and bye-bye access to their stuff. So if you are already compromised, take the time to learn how they did it so you can fix it. Sometimes you can't tell. In those cases you can almost count on a recurrence if you make no changes to the system/software/architecture. Backup the logs and any processes they have before rebuilding the system. -Ryan /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
