tripwire failed???

I have discovered that my server has been compromised. I believe it's
some sort of rootkit. It has managed to circumvent both rkhunter and
tripwire. The only reason I detected it is because I happened to run a
'ps' command when server was slow and noticed a connection from an
unwarranted user. I then 'netstat'ed. Apparently, the attacker(s) is
utilizing a program that obfuscates their presence in the usual logging
areas as well. I just "happened" to catch them. 'ps -aux' showed that an
UNKNOWN user was utilizing sshd. I was able to parse output to a file for
further viewing. I would post 'log-files' but they show now indication of
compromise (s fr s I can tell)

I know that there are a plethora of rootkits in cirulation, but does
anyone know how I might detect/remove such rootkit? I hate to have to
reload OS/tripwire/rkhunter/reload permissions... start over.

Any other tools I should be utilizing?

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.

Relevant Pages

  • Re: User access & security
    ... rootkit of some sort and totally compromise the system. ... you want your users to be able to do (permissions permissions ... server - must be OK!" ...
  • Re: exploit or human
    ... It sounds like a script kiddies compromise with worm infection too. ... Is there any of this RedHat 7.3 server running wu-ftpd ftp server or a ... >so on) while some other software runs just fine makes the rootkit ...
  • RE: strange telnet behavior
    ... change much itself but the attacker who used the rootkit can change ... Make complete backup of all system files, drives, etc. for analysis of the ... Otherwise restore backups to ... system made prior to the compromise is another option. ...
  • Re: OpenBSD rootkit
    ... intruder left other droppings along in there if they used a standard ... then you can then find out which rootkit they ... > There's a lil diff between a rootkit and a trojaned sshd. ... There were obvious signs of compromise: ...
  • Re: Server hacked?
    ... There seems to be some kind of rootkit running on your server. ... Active Internet connections ...