From: "Nathan Yocom" <[EMAIL PROTECTED]> > If a user was to gain local root priveledges, it is also possible that > he/she has loaded/forced a kernel module also. Check your modules > directory and files to see what is being loaded (off the network). It > could be that ps and /proc agree, but the kernel is not reporting > correctly to either (given that a rogue module is loaded). You could > also compile a kernel from clean source and boot with it (off the > network) then check binaries to be sure they md5 up correctly.
Not only off network, but boot from a separate boot disk. There is a popular rootkit in use now that uses two modules. One of them hides as many files/processes as you (well they) want, at the kernel level. The next one hides the last loaded module from the modules list. If used well this rootkit can go undetected moreso than many others since there would be NO outward signs. I can't even remember how I spotted this when it got on one of my boxes. But that was how they hid it. They were a bit rubbish in their choice of files to hide though IIRC. I was lucky in that I found the whole install folder and script they used to install the kit and could reverse it all without a re-install. But the best advice is to re-install in this kind of event.