Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

From: comphelp@xxxxxxxxx (Todd H.)
Date: 13 Sep 2006 14:26:27 -0500

"René Berber" <rberber@xxxxxxxxxxxxxxx> writes:

Todd H. wrote:

Yup. It's the only way to get back to a known state. Wiping and
reinstalling from original media.

But that's not needed, you can find which process is using that
particular port and kill it (use lsof).

BUT, that assumes lsof hasn't been replaced.

If someone has compromised your box, all bets are off. Rootkits and
kernel mode rootkits are sufficiently advanced, (many impossible to
detect), that if you've been owned, especially if your admin account
has been compromised, that's why you have to flatten and rebuild from
original media.

Then run a rootkit detection and/or anti-virus detection to try to
find out where that process came from (there are several to choose
from).

Good luck with that. There's plenty of malware out there that evades
AV detection and rootkit detection. All your detectors can tell you
is whether you have malware that they know about. There's plenty they
don't know about (or which has been repacked in order to evade
detection).

Flatten and rebuild from original media. As I stated, it's the only
way to get back to a known state.

--
Todd H.
http://www.toddh.net/
.

Follow-Ups:
- Re: Urgent!!! My computer seems to be hacked, pls HELP!!!
  - From: René Berber

References:
- Urgent!!! My computer seems to be hacked, pls HELP!!!
  - From: Jenny
- Re: Urgent!!! My computer seems to be hacked, pls HELP!!!
  - From: Todd H.
- Re: Urgent!!! My computer seems to be hacked, pls HELP!!!
  - From: René Berber

Prev by Date: Re: Urgent!!! My computer seems to be hacked, pls HELP!!!
Next by Date: Re: A great answer to dictionary attacks on root
Previous by thread: Re: Urgent!!! My computer seems to be hacked, pls HELP!!!
Next by thread: Re: Urgent!!! My computer seems to be hacked, pls HELP!!!
Index(es):
- Date
- Thread