retired1af

Can't take it off line? Very irresponsible.

There are no guarantees that your system is clean, even after running packaged programs that supposedly clean your PC.

As Flatline already stated earlier in this thread, the ONLY way you will know you have a clean installation is to repartition, reformat, and reinstall the system. Period. To do anything else is just plain, well, for lack of a better word, stupid.

__________________
Registered Linux user #384279

kamtono

take it easy retired1af this server i manage is running some small webshoting
of course i can't offline for a while (i can get more angry from customers)

but i found that binary suckit rootkit on mine is under
/usr/X11R6/bin/.httpd/

hey i found it after do
#locate sniffer
/usr/X11R6/bin/.httpd/.sniffer

you may try this link i found http://hepwww.rl.ac.uk/sysman/april2...dentReport.ppt
cause google is very kind you may try this HTML page
http://64.233.183.104/search?q=cache...ient=firefox-a
or just typeremove suckit rootkit on query

thanks for your support

retired1af

How do you know that the kit isn't the only thing on there? Blunt answer. You don't. Your system has been compromised. And I guarantee your customers will be far more upset and angry if they knew you were running a compromised box.

__________________
Registered Linux user #384279

adam7979

save your time to do the 3R instead of searching around for solution,
use a new root password after you've re-installed your system,
remember to update your system frequently with latest patches from the distro vendor,
stop using root account with plain text protocol like telnet, pop3, smtp, etc...
firewall your box properly,
and, disable those unnecessary services to minimize the chances of being hacked.

good luck

dark_lord_kodd

How would you tell if you have been infected by such a rootkit?

Krendoshazin

you can use a program called chkrootkit, you can get it here
http://freshmeat.net/redir/chkrootki...rootkit.tar.gz

it checks your binaries for rootkit modifications
http://web01.slackhost.net/~admin74/...chkrootkit.png
and then checks for the existance of any worms or rootkits
http://web01.slackhost.net/~admin74/...hkrootkit1.png

__________________
"The search for the MOT JUSTE is not a pedantic fad but a vital necessity. Words are our precision tools. Imprecision engenders ambiguity and hours are wasted in removing verbal misunderstandings before the argument of substance can begin."

Do the things you use not respect you, the user? Then it's defective by design, so make your voice heard.

Salient

Rootkit Hunter is another good one.
http://www.rootkit.nl/projects/rootkit_hunter.htm

Detection List:

55808 Trojan - Variant A
ADM W0rm
AjaKit
aPa Kit
Apache Worm
Ambient (ark) Rootkit
Balaur Rootkit
BeastKit
beX2
BOBKit
CiNIK Worm (Slapper.B variant)
Danny-Boy's Abuse Kit
Devil RootKit
Dica
Dreams Rootkit
Duarawkz Rootkit
Flea Linux Rootkit
FreeBSD Rootkit
****`it Rootkit
GasKit
Heroin LKM
HjC Rootkit
ignoKit
ImperalsS-FBRK
Irix Rootkit
Kitko
Knark
Li0n Worm
Lockit / LJK2
mod_rootme (Apache backdoor)
MRK
Ni0 Rootkit
NSDAP (RootKit for SunOS)
Optic Kit (Tux)
Oz Rootkit
Portacelo
R3dstorm Toolkit
RH-Sharpe's rootkit
RSHA's rootkit
Scalper Worm
Shutdown
SHV4 Rootkit
SHV5 Rootkit
Sin Rootkit
Slapper
Sneakin Rootkit
Suckit
SunOS Rootkit
Superkit
TBD (Telnet BackDoor)
TeLeKiT
T0rn Rootkit
Trojanit Kit
URK (Universal RootKit)
VcKit
Volc Rootkit
X-Org SunOS Rootkit
zaRwT.KiT Rootkit

and... some known/unknown sniffers, backdoors like:
Anti Anti-sniffer
LuCe LKM
THC Backdoor