On Friday 02 February 2007 12:33 pm, alan wrote: > > Most rootkits replace ls and cp in order to make the other peieces > "invisible". > > Don't use rsync to try and fix the problem. That is just going to make a > big mess and it will not remove the problem. > > If they have rooted your system, there is at least one backdoor installed. > (Probably more.) You also have to look at all of the accounts installed, > the kernel modules loaded, the processes running, etc. The current > rootkits install crap all over the place. Unless you have a very small > install and a LOT of time, you are not going to find them all. > > Wipe the disc and reinstall. > I think that was the plan... just the OP wanted to back up some data prior to reinstalling.
