Re: system hacked, need help

From: Stephan Neuhaus (
Date: 10/23/03

Date: Thu, 23 Oct 2003 13:09:23 +0200

Rocke Robertson wrote:
> download a new version of /bin/ps and see if it shows different output
> from the original /bin/ps.

If there is a rootkit on the machine, then it is well possible that a
hacked *kernel* returns the wrong information, not a hacked *ps binary*
(although it could of course also be a hacked ps binary). So, really,
the only way to make sure is to nuke the site from orbit^W^W^W^W^W
reinstall the operating system from the distribution media. If you can
afford it, save the suspect disks, mount them later on another machine
(read-only, so as not to disturb the atime of inodes) and go hunting for

If you can, mount them on a system with a different architecture. That
way, you can't easily run binaries or load libraries from the suspect disk.



Stephan Neuhaus
University of the Saarland, Department of Computer Science
Experimental Software Security at the Chair of Software Engineering