> > which isnt backdoored. Only problem with this is, once it is on your > > potentially infected box, its output can no longer be trusted, as one of > > those 69 processes could maim the output of your new ps, not to mention how > > easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to do.
If a user was to gain local root priveledges, it is also possible that he/she has loaded/forced a kernel module also. Check your modules directory and files to see what is being loaded (off the network). It could be that ps and /proc agree, but the kernel is not reporting correctly to either (given that a rogue module is loaded). You could also compile a kernel from clean source and boot with it (off the network) then check binaries to be sure they md5 up correctly. -- Nathan Yocom <[EMAIL PROTECTED]>
