>I agree that the machine has been compromised, thus my queries, but there
>was nothing more that I could find than what I have already reported.
>
>These symptoms do not seem to match anything that I have read about Ramen's
>footprint. I have searched www.cert.org and reported it to them as well.
>
>Dennis
>
>>Do a "netstat -l -n" and see what ports are open. (Mainly high ports, ie,
>>16000)
Rootkits sometimes replace netstat and ps to hide their execution. Try
lsof. It's also worth doing a rpm -Va (or the pkg equivalent) to see
what files have been tampered with. Assuming they haven't started
replacing rpm also. A find for setuid root binaries is also worthwhile.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
