Re: Have I been kitted?

From: Hans-Joachim Picht (hans@picht.org)
Date: 06/12/02


Date: Wed, 12 Jun 2002 13:35:53 +0200
From: Hans-Joachim Picht <hans@picht.org>
To: focus-linux@securityfocus.com

On Sun, Jun 09, 2002 at 12:19:57PM +0100, Terry Browning wrote:

> Is that a good sign? Has nmap been fooled by an LKM? Have I wasted time
> chasing my tail?
>
> What is the best strategy for dealing with an LKM kit? Reinstall linux
> from CD or try to remove it?

Check the md5 checksum for you netstat and ps binaries and run netstat
-anp to see which programm opened the ports on your system.

Withb est regards

    Hans

-- 
Work: Consultant with Linux Consulting Europe <hjp@lnxce.net> 
      http://www.lnxce.net Vogelhecke 2 D - 35447 Reiskirchen 
      Tel: +491751629201  Fax: +49640862649	Germany 
Private: hans@picht.org