On Friday 15 August 2003 07:18 pm, Spencer Butler wrote: > I would certainly in the very least boot the machine into single user > mode and run chkrootkit or the like on it, and inspect it for obvious > signs of intrusion. You may also want to make sure you don't have some > scripts starting at boot, or modules lodaing that you don't need to have > (especially usb stuff). > > You can also boot the machine using a rescue disk such as knoppix and > investigate the problem. Another advantage of booting from a rescue > disk is you get to test the hardware to see if you can recreate the > kernel paniks from a completely different environment. Not sure how this got into a compromised box thing, but every compromise I've dealt with in the last 6 months have been "good" hacks. Meaning they have installed kernel modules to hide thier kits. Only way to discover them is to boot bbc/knoppix/trb/etc and run chkrootkit over the disk. -- Bob Tanner <tanner at real-time.com> | Phone : (952)943-8700 http://www.mn-linux.org, Minnesota, Linux | Fax : (952)943-8500 Key fingerprint = AB15 0BDF BCDE 4369 5B42 1973 7CF1 A709 2CC1 B288 _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list