Re: Exploit or trojan
From: Felipe Franciosi (ozzybugt_at_terra.com.br)
Date: Mon, 15 Dec 2003 22:33:51 -0200 To: <firstname.lastname@example.org>
I'm not very experienced on forensics of sun servers, however it is
very likely that your 'ps' has been compromised. I guess that in
Solaris systems you can just reach for a new copy of 'ps' and use
the 'clean' one to check everything out.
Doing so on Linux systems doesn't help much, since recently there
have been several kernel backdoors (some are loadable modules,
others just patch /dev/kmem on the fly) which actually hide the
proccesses from 'ps'.
Last but not least, do not trust 'ls' and 'md5' checksums also,
since several of your system utils may have been changed as well.
-- Felipe Franciosi <email@example.com>