Re: Urgent!!! My computer seems to be hacked, pls HELP!!!


Todd H. wrote:

René Berber writes:

Todd H. wrote:
Yup. It's the only way to get back to a known state. Wiping and
reinstalling from original media.

But that's not needed, you can find which process is using that
particular port and kill it (use lsof).

BUT, that assumes lsof hasn't been replaced.

Are we geting paranoid? So what if it was replaced, is it going to lie
and you are not going to catch the lie? Granted you need some
experience, knowledge and/or outside help.

If someone has compromised your box, all bets are off. Rootkits and
kernel mode rootkits are sufficiently advanced, (many impossible to
detect), that if you've been owned, especially if your admin account
has been compromised, that's why you have to flatten and rebuild from
original media.

Then run a rootkit detection and/or anti-virus detection to try to
find out where that process came from (there are several to choose
from).

Good luck with that. There's plenty of malware out there that evades
AV detection and rootkit detection. All your detectors can tell you
is whether you have malware that they know about. There's plenty they
don't know about (or which has been repacked in order to evade
detection).

Do you have any experience at all?

"Evade detection", you must be kidding. FYI most rootkits are very
simple, they install a modified telnet or ssh and some scripts, that's
it; and any good anti-virus detects those and you have the option of
using things like tripwire so you don't even need anti-virus.

If you really want to do things carefully, you can boot from a CD and
check your drive from there. There are several options for the CD, I
have "System Rescue CD".

Flatten and rebuild from original media. As I stated, it's the only
way to get back to a known state.
--
R.Berber

.