I ran chkrootkit on the box. It confirmed the existence of t0rn. However, ps is version procps 2.0.6. Netstat is version net-tools 1.55, netstat 1.38.
Thanks... -- Jason On Mon, 2001-10-22 at 05:09, Baba Bogdan wrote: > > > <snip> > > > > > The machine is obviously going to need a complete re-install. However, I > > > would really like to figure out how someone got in. The machine was > > > running the following items: > > > > > > NAME VERSION PORT > > > apache 1.3.20 80 > > > ssh 2.1.1 22 > look for the version of ps (ps -V) and netstat netstat -V if the version > is procps 1.01 and netstat -s net-tools.... alpha or > smthing the you have a rootkit maybe the new version or t0rn rootkit haz > an linux kernel module the you have to scan your machine with chkrootkit > > Baba Bogdan > > PS:rpm -e portmap ; www.isc.org/bind > >
