26 Feb
2005
26 Feb
'05
12:56 a.m.
On Fri, 25 Feb 2005, Jonathan Hutchins wrote:
I found a trojan running on my server today - rootedoor (http://vil.mcafeesecurity.com/vil/content/v_128116.htm).
I detected it running as one of the last two processes listed by 'ps ax' just before a reboot to install a new kernel; the reboot seems to have elimiated all traces of it from the system.
Any decent rootkit will overwrite ps, ls, less, more, netstat and a cast of thousands. If you don't re-install these, your system tests have little value.
Regards,
-Don