On Thu, 2009-10-01 at 12:21 -0600, Kimball Larsen wrote: > I also ran chkrootkit and rkhunter - both came back clean, so I don't > think the box has been p0wn3d.
As always, you have to ask yourself how lucky you feel. While this might appear to be clumsy and failed attack, what you've found so far could just be a diversion. The old advice "the only way to be sure is to reinstall" still applies. If this is a personal server, it might not be worth it. If this box is on a privileged part of your work network, or has sensitive data, it's definitely worth being sure. -- "XML is like violence: if it doesn't solve your problem, you aren't using enough of it." - Chris Maden /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */