RE: Have I been kitted?

From: James Golovich (james@wwnet.net)
Date: 06/14/02


Date: Fri, 14 Jun 2002 15:01:54 -0400 (EDT)
From: James Golovich <james@wwnet.net>
To: focus-linux@securityfocus.com


On 13 Jun 2002, Tommy McLeod wrote:

> use md5sum on your lsof command (md5sum /usr/sbin/lsof)
> run the same thing against your original binary (from the CD)
> use lsof (lsof -i tcp and lsof -i udp)
> check these against a ps of all processes.
>

One quick note, don't forget to use the md5sum from the CD (or recompile a
new one) because if a root kit has been installed chances are md5sum has
been replaced to return the correct md5s for the modified binaries.

James