chkrootkit: possible trojan

[Paul]

Hi,

> I still have (partial?) root access. 

Well, you either do or don't have root access.

> Logs show china9988 at 21cn.com trying
> to relay through smtp port, which leads me to think that it's either a
> diversion, or I rehashed aliases.db before that part of the compromise
> was complete (highly unlikely, invisible shell access should be able to
> overcome that). 

Sounds like a diversion to me. I would close down all services except
ssh and I mean *everything*, run nmap, change the root password to
something with lots of numbers, non-alpha characters and the such
(something like 1maL3atulP0ot7r [Im a little Pooter] - obviously, not
that one though!), logout, leave for a little while and log back in. Run
nmap and see if something has been opened. 

If it has been r00ted, then ports will have been opened. Do this a
couple of times to make sure.

If they have, install dsniffer and use that to find where the little sod
is (though don't rely on it too much).

As to closing ports, a quick google search will help you there.

I would also run netstat -ln as well

> Any insight is appreciated.

Hope the above helps. As I've said though, once you've been r00ted,
unless the one who r00ts doesn't know what they're doing, the only way
to get rid of them completely is to change the drive, reinstall etc etc
etc.

TTFN

Paul
-- 
"Our enemies are innovative and resourceful - and so are we,"
"They never stop thinking about new ways to harm our country and our
people - and neither do we." - George W. Bush, Aug 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040911/db4790fd/attachment-0001.sig>