Hi!, >First. We need some fresh & clean tools; > >kill, killall, ps, more, netstat, ls, dpkg, apt-tools, chattr, lsattr, bash >(or whatever shell you prefer). > > >Replace your shell with the clean one (the /etc/passwd -race).
Be aware that sometimes the rootkits also apply to the libc or even kernel modules, so just uploading new dinamicaly linked versions of the above programs will not help you, try compiling some os those tools statically (-static in gcc) in some other host you trust, specially "ps" command. In any case if you have a lkm rootkit, your done, dosent matter if you upload static, dinamic or whatever, kernel root kits are hard to find, not even lsmod, rmmod can help you because it is quite easy to make a kernel module unloadable or even hiden, some of you may be thinking that they are safe to those kind of attacks because they have disabled kernel module support in theyr kernel, well they are wrong :), there is code, and nice white papers explaining how to insert kernel code through /proc/kmem, if I am not wrong Silvio Cesare developed this technique two or three years ago, although it hasent being exploited too much you must be aware of it's existance. Mario Lopez.
