Re: strange connection on port 111.. more question

From: John Oliver (john.oliver@hosting.com)
Date: 08/16/01 

Message-ID: <3B7B0CE8.71558A22@hosting.com>
Date: Wed, 15 Aug 2001 16:59:36 -0700
From: John Oliver <john.oliver@hosting.com>
To: focus-linux@securityfocus.com
Subject: Re: strange connection on port 111.. more question

xyros wrote:
>
> thx for kind replies.. it's helpful for me :)
>
> i know system reconstruction is the best way.. but that's not allowed to me yet *sniff*
>
> I'm trying find the hacking proof..
>
> i attempt to find rootkit or backdoor using chkrookit, kstat, and manually work...
>
> but can't find any suspicious files or processes..
>
> To comparing system files(ls, ps, netstat, ifconfig, find, etc..) with clean system is in vain.
>
> even md5sum is same..
>
> do u have more ideas that the ways can find any backdoor, rootkit, or any suspicous things?

You're never going to find anything while that filesystem is live. You
need to shut it down, mount the disk(s) RO on a known clean machine, and
*then* search for the backdoors and such. But that's probably a waste
of time... you only need to miss one, and the machine will be just as
bad, if not worse, *very* quickly.

You might as well put up a new box, transfer data and apps to it, and
then burn the old one to the ground. 

-- 
John Oliver
System Administrator
Hosting.com, an Allegiance Telecom company
Formerly CONNECTnet
mailto:john.oliver@hosting.com
t 858.638.2020
http://www.hosting.com/