On Sunday 02 April 2006 12:06 am, Gene Heskett wrote: > >Since the attacker wrote to /usr I'd be looking at how he got to be > > root. > > We haven't found that yet. We're still looking over the forensic copy > we made of that drive with dd. And roots password was alpha-numeric, > longer than most and certainly not susceptable to a dictionary attack. > Interesting, since you made the comment re the compiler being handy, is > that it wasn't used to install the irc botnet kit, only a shell, gzip, > chmod & cp were used for that according to the install script we read. I'd suggest that if you have time, format the box clean and start a fresh install. In my opinion, once a box has been compromised, we can never trust it anymore, not even after checking it with any anti-rootkits available. CMIIW, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 02:59:24 up 9:30, 2.6.15-1.1830_FC4 GNU/Linux Let's use OpenOffice. http://www.openoffice.org
