Todd H. wrote:

> René Berber writes:
>
> > Todd H. wrote:
> > > Yup. It's the only way to get back to a known state. Wiping and
> > > reinstalling from original media.
> >
> > But that's not needed, you can find which process is using that
> > particular port and kill it (use lsof).
>
> BUT, that assumes lsof hasn't been replaced.

Are we geting paranoid? So what if it was replaced, is it going to lie
and you are not going to catch the lie? Granted you need some
experience, knowledge and/or outside .

> If someone has compromised your box, all bets are off. Rootkits and
> kernel mode rootkits are sufficiently advanced, (many impossible to
> detect), that if you've been owned, especially if your admin account
> has been compromised, that's why you have to flatten and rebuild from
> original media.
>
> > Then run a rootkit detection and/or anti-virus detection to try to
> > find out where that process came from (there are several to choose
> > from).
>
> Good luck with that. There's plenty of malware out there that evades
> AV detection and rootkit detection. All your detectors can tell you
> is whether you have malware that they know about. There's plenty they
> don't know about (or which has been repacked in order to evade
> detection).

Do you have any experience at all?

"Evade detection", you must be kidding. FYI most rootkits are very
simple, they install a modified telnet or ssh and some scripts, that's
it; and any good anti-virus detects those and you have the option of
using things like tripwire so you don't even need anti-virus.

If you really want to do things carefully, you can boot from a CD and
check your drive from there. There are several options for the CD, I
have "System Rescue CD".

> Flatten and rebuild from original media. As I stated, it's the only
> way to get back to a known state.
--
R.Berber