[PLUG] Killing hidden processes
stuart mathews
smathews at pcez.com
Fri Sep 27 15:59:58 UTC 2002
>> Is that process listed in /etc/inittab with a respawn option?
>
>Have you checked your kill binary to ensure it is not part of the
>rootkit and is ignoring the other trojaned binaries?
>
>FWIW, I did sucessfully recover a machine that had been compromised
>without a wipe and reinstall. The keys for me were:
>
> ensuring the RPM was clean
> getting lsattr and rmattr clean
> getting ps, ls, top clean
> using nessus on the system
> being highly motivated to keep trying.
>
> Michael Rasmussen aka mikeraz
Is the process of replacing an ls or ps as simple as deleting the old file and
replacing it with a known good version, or are there all kinds of other issues
like pointers to and from the file that must be dealt with as well?
-------------------
http://www.pcez.com
More information about the PLUG
mailing list