On Wed, Jun 20, 2001 at 09:04:26AM -0400, Andrew Heath wrote: > I also know it's making IRC connections, plus has at least one > rootshell running. I can't confirm this without modifying bits > of the box, to replace ps with a known good copy, and I can't do > that until one of my colleagues looks at it to get first hand > experience. You may use lsof ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ to see all the running processes and the open files, if none are hidden by adore... You may try http://www.hsc.fr/ressources/outils/rkscan/ to detect the presence of the adore rootkit. Of course, compile them on another system. Denis. -- Denis.Ducampat_private --- Hervé Schauer Consultants --- http://www.hsc.fr/ Owl/snort/hping/dsniff en français http://www.groar.org/~ducamp/#sec-trad Owl en français http://www.openwall.com/Owl/fr/ Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 10:36:44 PDT