[no subject]

I think you have answered your own question there, and I'm sure you
know that already. If an intruder was actually able to execute
commands from a shell on your system, it can't be trusted...period. If
you absolutely have to leave it up, you should at least run chkrootkit
on it along with any sig checks (if you have them). Then it should be
surrounded by packet filters immediately. However, you should take no
feeling of comfort away from this no matter the result. You should
image the system for recovery purposes and wipe it as soon as you
possibly can. Prolonging the inevitable only leads to more problems.

--
Jonathan


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00383" href="msg00383.html">[ale] Compromised System</a></strong>
<ul><li><em>From:</em> transam at verysecurelinux.com (Bob Toxen)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00364" href="msg00364.html">[ale] Compromised System</a></strong>
<ul><li><em>From:</em> wormfishin at gmail.com (Nick Travis)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00371.html">[ale] Understanding dd and/or /dev/zero</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00373.html">[ale] Linux router help needed......again</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00370.html">[ale] Compromised System</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00383.html">[ale] Compromised System</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00372"><strong>Date</strong></a></li>
<li><a href="threads.html#00372"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>