If you don't want to, or have no idea what you're looking at, as Alan
said, recover and verify user data, then reformat and reinstall.
On 17 Apr 2003, Alan Cox wrote:
> > (7) Check /bin/login for a new file-date.
> > (8) Check /usr/sbin/sendmail for a new file-date.
> > Check /usr/sbin/inetd ""
> > Check /usr/sbin/xinetd ""
> > Check /usr/sbin/syslogd ""
> > Check /usr/sbin/klogd ""
> > Check /usr/sbin/in.* ""
>
> Rootkits know about avoiding this
Oh, yes. If you were running tripwire, and being good about keeping the
database somewhere on read-only media, you might be able to detect file
modifications. Place emphasis on might.
> Never do this. You don't know what else has changed on the system. You
> should always (barring odd exceptions) do a full reinstall. Also clean
> user executable files if neccessary (roots .login is often archived and
> people rerun exploits from it...)
I'm trying to think up one of those odd situations ...
-- -- John E. Jasen (jjasen@realityfailure.org) -- User Error #2361: Please insert coffee and try again.
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/