PHWinfo - Afficher un message - Urgent!!! My computer seems to be hacked, pls HELP!!!

13/09/2006, 21h26

"René Berber" <rberber@mailandnews.com> writes:

> Todd H. wrote:
> > Yup. It's the only way to get back to a known state. Wiping and
> > reinstalling from original media.
>
> But that's not needed, you can find which process is using that
> particular port and kill it (use lsof).

BUT, that assumes lsof hasn't been replaced.

If someone has compromised your box, all bets are off. Rootkits and
kernel mode rootkits are sufficiently advanced, (many impossible to
detect), that if you've been owned, especially if your admin account
has been compromised, that's why you have to flatten and rebuild from
original media.

> Then run a rootkit detection and/or anti-virus detection to try to
> find out where that process came from (there are several to choose
> from).

Good luck with that. There's plenty of malware out there that evades
AV detection and rootkit detection. All your detectors can tell you
is whether you have malware that they know about. There's plenty they
don't know about (or which has been repacked in order to evade
detection).

Flatten and rebuild from original media. As I stated, it's the only
way to get back to a known state.

--
Todd H.
http://www.toddh.net/

13/09/2006, 21h26	#8
Todd H. Messages: n/a Hébergeur:	Re: Urgent!!! My computer seems to be hacked, pls !!! "René Berber" <rberber@mailandnews.com> writes: > Todd H. wrote: > > Yup. It's the only way to get back to a known state. Wiping and > > reinstalling from original media. > > But that's not needed, you can find which process is using that > particular port and kill it (use lsof). BUT, that assumes lsof hasn't been replaced. If someone has compromised your box, all bets are off. Rootkits and kernel mode rootkits are sufficiently advanced, (many impossible to detect), that if you've been owned, especially if your admin account has been compromised, that's why you have to flatten and rebuild from original media. > Then run a rootkit detection and/or anti-virus detection to try to > find out where that process came from (there are several to choose > from). Good luck with that. There's plenty of malware out there that evades AV detection and rootkit detection. All your detectors can tell you is whether you have malware that they know about. There's plenty they don't know about (or which has been repacked in order to evade detection). Flatten and rebuild from original media. As I stated, it's the only way to get back to a known state. -- Todd H. http://www.toddh.net/