Bob George wrote: > > "John (EBo) David" wrote: > > > George Toft wrote: > > > > > > Hi John, > > > > > > Post a ps and let the group dissect it. > > > > Ok... See appended: > > Output of ps won't mean much if a rootkit has already been installed > (search on rootkits - i.e. > http://linux.oreillynet.com/pub/a/linux/2001/12/14/rootkit.html) I understand. But since I was asked I thought maybe someone might see something I didn't. > Ideally, you'd have tools running up front to detect unauthorized changes. > There are tools though (i.e. chkrootkit - http://www.chkrootkit.org/) to > look for signs of compromise even after the fact. It has been to long since I ran chkrootkit, but... The only thing that came up was: Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.6.0/i386-linux/.packlist Searching for LPD Worm files and dirs... nothing found ... it really does appear like a packing list, but has a bunch of files which end in .3pm which have is about the time I typically notice odd things going on. I assume that that is just a cooincidence since there are files there that end in .tar.gz extention... Being in the man directory I assumed that they are man pages, and the .gz being gnuziped... One such example is: /usr/share/man/man3/warnings::register.3pm type=file I went ahead and tried looking at them and was unable with an of the tools I expected, so does anyone have a clue what they should be for? any Perl GURU's got an idea why they are not readable if they are documentaiton? > Running something like aide or tripwire against critical files is a good > detection measure, but it needs to be set up up front. My previous install I set up tripwire (had not heard about aide), but have not taken the time because I have litterally been working 12-20 hr/days trying to finish up at school... EBo --