> > From: Jason Burfield [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, October 18, 2001 12:09 PM
> > To: [EMAIL PROTECTED]
> > Subject: t0rn help and questions...?
>
> <snip>
>
> > The machine is obviously going to need a complete re-install. However, I
> > would really like to figure out how someone got in. The machine was
> > running the following items:
> >
> > NAME VERSION PORT
> > apache 1.3.20 80
> > ssh 2.1.1 22
look for the version of ps (ps -V) and netstat netstat -V if the version
is procps 1.01 and netstat -s net-tools.... alpha or
smthing the you have a rootkit maybe the new version or t0rn rootkit haz
an linux kernel module the you have to scan your machine with chkrootkit
Baba Bogdan
PS:rpm -e portmap ; www.isc.org/bind
