> ... i created a directory, copied 'ps' et al to it, and used chattr on > them. having a known good binary outside $PATH is something of a comfort > ...
Of course, if the cracker has gotten root, they can chattr it right back. In fact, the first thing I'd do as an attacker is to find all chattr'd files on the filesystem since they're probably important. The only way to be absolutely sure you see the real state of the filesystem is to boot off of pristine read-only media. When you've verified all the binaries and checked for any unusual startup actions (/etc/rc?.d, /etc/inittab, initrd device, etc) which could modify things then you can trust your ps commands -- as long as the attacker doesn't come in and modify things again. (You should work without the network plugged in until you're sure things are sane.) -- Brian Hatch Dijon vu: the same Systems and mustard as before. Security Engineer http://www.ifokr.org/bri/ Every message PGP signed
msg00578/pgp00000.pgp
Description: PGP signature