On Sunday 13 November 2005 09:58 am, Matt Graham wrote:
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! Searching for suspicious files and dirs, it may take a while... /usr/lib/j2se/1.4/jre/.systemPrefs /usr/lib/j2se/1.4/jre/.systemPrefs/.systemRootModFile /usr/lib/j2se/1.4/jre/.systemPrefs/.system.lock /usr/lib/j2se/1.4/jre/.systemPrefs
I guess that since I even suspect that it's comproimised, I should reinstall.
Yea, your sentiments are correct. Unfortunately, you can't really say with certainty that your box is clean once it has been rooted. So, I would first get an idea of what kind of illegal stuff it has been participating in by getting some packet captures like this:
tcpdump -s 1550 -w mydump.bin -i eth1 not port 22
Then open up mydump.bin later on another box with Ethereal. That way you know what you might be accused of in the future and you have documentation.
When you reinstall, be sure you reformat you partitions before you install. Oh, an non-executables are fine to make backups of. They can't usually carry any malicious code. Be careful of your config files though.