On Friday 15 August 2003 07:18 pm, Spencer Butler wrote:
> I would certainly in the very least boot the machine into single user
> mode and run chkrootkit or the like on it, and inspect it for obvious
> signs of intrusion.  You may also want to make sure you don't have some
> scripts starting at boot, or modules lodaing that you don't need to have
> (especially usb stuff).
>
> You can also boot the machine using a rescue disk such as knoppix and
> investigate the problem.  Another advantage of booting from a rescue
> disk is you get to test the hardware to see if you can recreate the
> kernel paniks from a completely different environment.

Not sure how this got into a compromised box thing, but every compromise I've 
dealt with in the last 6 months have been "good" hacks. Meaning they have 
installed kernel modules to hide thier kits. 

Only way to discover them is to boot bbc/knoppix/trb/etc and run chkrootkit 
over the disk. 
-- 
Bob Tanner <tanner at real-time.com>         | Phone : (952)943-8700
http://www.mn-linux.org, Minnesota, Linux | Fax   : (952)943-8500
Key fingerprint = AB15 0BDF BCDE 4369 5B42  1973 7CF1 A709 2CC1 B288

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list