On 09/25/2010 08:38 PM, James McKenzie wrote: > On 9/25/10 8:34 PM, Mike Dwiggins wrote: >> On 9/25/2010 8:28 PM, JD wrote: >>> On 09/25/2010 07:14 PM, Mike Dwiggins wrote: >>>> JB, >>>> >>>> I figured you or someone else might like to know this. I killed the dhc >>>> process and cleaned up the .conf files did a restart on Network Manage >>>> and everything worked! >>>> >>>> Ran chkrootkit and it hit on netstat as Infected (imagine that). It >>>> also reported a possible LKM Trojan intrusion. I then ran rkhunter and >>>> it threw warnings on the following files: >>>> /bin/netstat >>>> /bin/ps >>>> /usr/bin/top >>>> /usr/bin/lsof >>>> >>>> It also reported undocumented password change and group file changes. >>>> >>>> Password I could see with me going through Webmin to reset the root >>>> password but, I was careful to change nothing else much less groups! >>>> >>>> I rebooted and the problem was back just as before! >>>> >>>> With that I threw up my hands and have WipeDrive going on the drives in >>>> DoD mode! >>>> >>>> Hope this might help someone! >>>> >>>> Again thanks for the help! >>>> >>> chkrootkit found this, but I have no idea where the process is: >>> >>> Checking `lkm'... You have 1 process hidden for readdir command >>> You have 1 process hidden for ps command >>> chkproc: Warning: Possible LKM Trojan installed >>> >>> >>> So, if it will not tell me which process it is, how can I find it? >>> >> Beats me, this is where it gets above my head! I had enough problems >> with it I just went Scorched Earth. There should be a lesser way but, I >> am not that good and admit it! >> > Usually, at this time, it time to hope you backed up your system before > you were rooted and blow everything away and start over. Also a good > time to upgrade to the latest version of whatever OS you are using. > > James McKenzie > Well,if my machine was rooted, and I have a firewall that drops ALL incoming requests, then how was it rooted if not through some package or through the kernel itself? -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
