Re: tripwire failed???

I have discovered that my server has been compromised.

Welcome to the happy club comprising... everybody who's ever managed a
server :D

I believe it's
some sort of rootkit.

You should also hunt for the way IN, otherwise you will never shut out
the attacker. The rootkit is a way to REMAIN in, not a way to get entry.

It has managed to circumvent both rkhunter and

Cool. How are you running tripwire, exactly ? Is the list of hashes on
the same box that was compromised ? If so, I believe I can see why your
tripwire didn't work :D

Also, if the rootkit is loaded in kernel space, tripwire will be silent.

anyone know how I might detect/remove such rootkit? I hate to have to
reload OS/tripwire/rkhunter/reload permissions... start over.

Sorry, you have to. There's no other safe way to get that box clean.


Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.