tripwire failed???

I have discovered that my server has been compromised. I believe it's
some sort of rootkit. It has managed to circumvent both rkhunter and
tripwire. The only reason I detected it is because I happened to run a
'ps' command when server was slow and noticed a connection from an
unwarranted user. I then 'netstat'ed. Apparently, the attacker(s) is
utilizing a program that obfuscates their presence in the usual logging
areas as well. I just "happened" to catch them. 'ps -aux' showed that an
UNKNOWN user was utilizing sshd. I was able to parse output to a file for
further viewing. I would post 'log-files' but they show now indication of
compromise (s fr s I can tell)

I know that there are a plethora of rootkits in cirulation, but does
anyone know how I might detect/remove such rootkit? I hate to have to
reload OS/tripwire/rkhunter/reload permissions... start over.

Any other tools I should be utilizing?

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.