Thanks Paul. I still have (partial?) root access. Logs show china9988@xxxxxxxx trying to relay through smtp port, which leads me to think that it's either a diversion, or I rehashed aliases.db before that part of the compromise was complete (highly unlikely, invisible shell access should be able to overcome that). NMap shows ports open for WMS and RTSP, which I've yet to figure out how to close. You mentioned making it more difficult? Any insight is appreciated. Stu@ On Sat, 2004-09-11 at 15:48, Paul wrote: > Hi, > > > I haven't been able to lsmod, init 6, etc... which leads me to think > > that it's a true positive. > > Do you still have root access? If so, you can fix things to make life > harder, but I would still not entirely trust the server > > Really, if you've been r00ted, the only way to get rid of it is to trash > the drive, reinstall, secure, check, resecure and make live. > > TTFN > > Paul
