freebsd security - May 2004 - Hacked or not ?

Hi, 

I have a 4.9-STABLE FreeBSD box apparently hacked!
Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. 
Those are:
chfn     ... INFECTED
chsh    ... INFECTED
date     ... INFECTED
ls         ... INFECTED
ps        ... INFECTED

But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED,
or NOTHING DETECTED.
I know by the FreeBSD-Security archives that chkrootkit isn't perfect with
FreeBSD versions 5.x
But I'm not in that case. So I'm a little bit afraid and as a newbie I
don't really know what to do....
I tried "truss ls" to find something strange and here are the outputs
with something... suspicious for me:

ioctl(1,TIOCGETA,0xbfbff534)                        = 0 (0x0)
ioctl(1,TIOCGWINSZ,0xbfbff5a8)                    = 0 (0x0)
getuid()                                                        = 0 (0x0)
readlink("etc/malloc.conf",0xbfbff490,63)        ERR#2 'No such
file or directory'         #SUSPICIOUS
mmap(0x0,4096,0x3,0x1002,-1,0x0)              = 671666176 (0x2808d000)
break(0x809b000)                                        = 0 (0x0)
break(0x809c000)                                        = 0 (0x0)
break(0x809d000)                                        = 0 (0x0)
break(0x809e000)                                        = 0 (0x0)
...........................................................................................and
so on!

And if I am an intrusion victim.... what can I do ? How can I restore those
files? and how can I find out how this cracker did to break my firewall? I mean
where is the security hole?
PS: After verification on other commands declared not infected I found out this
ERR#2 is common.... maybe I have another problem here!

Thanks everyone!
razor.

> ioctl(1,TIOCGETA,0xbfbff534)                        = 0 (0x0)
> ioctl(1,TIOCGWINSZ,0xbfbff5a8)                    = 0 (0x0)
> getuid()                                                        = 0 (0x0)
> readlink("etc/malloc.conf",0xbfbff490,63)        ERR#2 'No
such file or directory'         #SUSPICIOUS
> mmap(0x0,4096,0x3,0x1002,-1,0x0)              = 671666176 (0x2808d000)
> break(0x809b000)                                        = 0 (0x0)
> break(0x809c000)                                        = 0 (0x0)
> break(0x809d000)                                        = 0 (0x0)
> break(0x809e000)                                        = 0 (0x0)
>
...........................................................................................and
so on!
Looks normal to me here...not really sure why that is suspicious to you.
(it's just trying to load malloc.conf for malloc options).

-- 
Peter C. Lai
University of Connecticut
Dept. of Molecular and Cell Biology
Yale University School of Medicine
SenseLab | Research Assistant
http://cowbert.2y.net/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2200 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040521/0c325eba/smime.bin

On Fri, May 21, 2004 at 03:52:45PM +0200, RazorOnFreeBSD wrote:
> I have a 4.9-STABLE FreeBSD box apparently hacked!
> Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. 
> Those are:
> chfn     ... INFECTED
> chsh    ... INFECTED
> date     ... INFECTED
> ls         ... INFECTED
> ps        ... INFECTED
Sheesh.  Not this *again*.  This is a false alarm: chkrootkit is
exceedingly sensitive to something about the way such programs work
under FreeBSD and has to be continually futzed so that it knows not to
complain on each successive version of FreeBSD.  Comes up in this or
other FreeBSD lists just about every week.

Relax.  You're not compromised.  You just need better tools.

	Cheers,

	Matthew


-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040521/c8be8184/attachment.bin

maybe you sould

- grep the 4.9-STABLE sources of chfn,chsh,date,ls,ps
  build it and diff/md5 the builded stuff
- ktrace(dump) the (current)ls, etc. with the (fresh) cvs version (rev for
4.9-S)
- just reinstall the system :)

R> Hi, 

R> I have a 4.9-STABLE FreeBSD box apparently hacked!
R> Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. 
R> Those are:
R> chfn     ... INFECTED
R> chsh    ... INFECTED
R> date     ... INFECTED
R> ls         ... INFECTED
R> ps        ... INFECTED

R> But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING
DELETED, or NOTHING DETECTED.
R> I know by the FreeBSD-Security archives that chkrootkit isn't perfect
with FreeBSD versions 5.x
R> But I'm not in that case. So I'm a little bit afraid and as a
newbie I don't really know what to do....
R> I tried "truss ls" to find something strange and here are the
outputs with something... suspicious for me:

R> ioctl(1,TIOCGETA,0xbfbff534)                        = 0 (0x0)
R> ioctl(1,TIOCGWINSZ,0xbfbff5a8)                    = 0 (0x0)
R> getuid()                                                        = 0 (0x0)
R> readlink("etc/malloc.conf",0xbfbff490,63)        ERR#2 'No
such file or directory'         #SUSPICIOUS
R> mmap(0x0,4096,0x3,0x1002,-1,0x0)              = 671666176 (0x2808d000)
R> break(0x809b000)                                        = 0 (0x0)
R> break(0x809c000)                                        = 0 (0x0)
R> break(0x809d000)                                        = 0 (0x0)
R> break(0x809e000)                                        = 0 (0x0)
R>
...........................................................................................and
so on!

R> And if I am an intrusion victim.... what can I do ? How can I restore
R> those files? and how can I find out how this cracker did to break my
R> firewall? I mean where is the security hole?
R> PS: After verification on other commands declared not infected I found
R> out this ERR#2 is common.... maybe I have another problem here!

R> Thanks everyone!
R> razor.
R> _______________________________________________
R> freebsd-security@freebsd.org mailing list
R> http://lists.freebsd.org/mailman/listinfo/freebsd-security
R> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"

yes.... if you have any recommandation on something else?
I'm currently moving from chkrootkit 0.41 ot 0.43 maybe it will help!
I'll send the response for next people with this problem.... 'cause I
don't
want to be anoying but after simple searches I didn't find accurate solution
or right information for 4.x boxes!
For sure I didn't type in the right words if this post pop up every week,
but I'm a newbie and futur newbies will have the same problem and probably
type the same key words.... and probably add another post on the same
subject!
Here I and they need a response to stop polluting the mailing list! Don't
you think?

PS: This was just sort of a notice, nothing aggressive or whatever else you
would'nt like! I love everybody and everything on this planet even cows....
(can I except terrorist people? Those are shit!)

Sorry for polluting.
razor's trying chkrootkit 0.43.

----- Original Message ----- 
From: "Tom Rhodes" <trhodes@FreeBSD.org>
To: "Matthew Seaman" <m.seaman@infracaninophile.co.uk>
Cc: "RazorOnFreeBSD" <yann.luppo@attglobal.net>;
<freebsd-security@FreeBSD.org>
Sent: Friday, May 21, 2004 10:11 PM
Subject: Re: Hacked or not ?

> On Fri, 21 May 2004 21:02:54 +0100
> Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote:
>
> > On Fri, May 21, 2004 at 03:52:45PM +0200, RazorOnFreeBSD wrote:
> >
> > > I have a 4.9-STABLE FreeBSD box apparently hacked!
> > > Yesterday I ran chkrootkit-0.41 and I don't like some of the
outputs.
> > > Those are:
> > > chfn     ... INFECTED
> > > chsh    ... INFECTED
> > > date     ... INFECTED
> > > ls         ... INFECTED
> > > ps        ... INFECTED
> >
> > Sheesh.  Not this *again*.  This is a false alarm: chkrootkit is
> > exceedingly sensitive to something about the way such programs work
> > under FreeBSD and has to be continually futzed so that it knows not to
> > complain on each successive version of FreeBSD.  Comes up in this or
> > other FreeBSD lists just about every week.
> >
> > Relax.  You're not compromised.  You just need better tools.
> >
>
> I love the "just need better tools." without any recommendation
> for him.
>
> -- 
> Tom Rhodes
>

On  0, RazorOnFreeBSD <yann.luppo@attglobal.net> allegedly
wrote:
> yes.... if you have any recommandation on something else?
You might like to check out rkhunter at

 http://www.rootkit.nl/projects/rootkit_hunter.html

-------------------------------------------------------------
Nigel Houghton  Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

On Fri, May 21, 2004 at 04:11:33PM -0400, Tom Rhodes
wrote:
> On Fri, 21 May 2004 21:02:54 +0100
> Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote:
> 
> > On Fri, May 21, 2004 at 03:52:45PM +0200, RazorOnFreeBSD wrote:
> > 
> > > I have a 4.9-STABLE FreeBSD box apparently hacked!
> > > Yesterday I ran chkrootkit-0.41 and I don't like some of the
outputs.
> > > Those are:
> > > chfn     ... INFECTED
> > > chsh    ... INFECTED
> > > date     ... INFECTED
> > > ls         ... INFECTED
> > > ps        ... INFECTED
> > 
> > Sheesh.  Not this *again*.  This is a false alarm: chkrootkit is
> > exceedingly sensitive to something about the way such programs work
> > under FreeBSD and has to be continually futzed so that it knows not to
> > complain on each successive version of FreeBSD.  Comes up in this or
> > other FreeBSD lists just about every week.
> > 
> > Relax.  You're not compromised.  You just need better tools.
> > 
> 
> I love the "just need better tools." without any recommendation
> for him.
Well, the question was "has my machine been compromised", which I
answered.  

The current version of chkrootkit in ports (0.43) has a problem
whereby it thinks FreeBSD 4.10 is a higher version than FreeBSD 5.0,
which means that it reports certain programs are infected because they
*don't* fail in the expected way found on 5.0 or above.  Here's a
patch:

--- chkrootkit.orig	Fri May 21 22:19:16 2004
+++ chkrootkit	Fri May 21 22:36:29 2004
@@ -257,7 +257,7 @@
 {
     prog=""
     if [  \( "${SYSTEM}" = "Linux"  -o \(
"${SYSTEM}" = "FreeBSD" -a \
-       ${V} -gt 43 \) \) -a "${ROOTDIR}" = "/" ]; then
+       ${V} -gt 403 \) \) -a "${ROOTDIR}" = "/" ]; then
       [ ! -x /usr/local/sbin/chkproc ] &&
prog="/usr/local/sbin/chkproc"
       [ ! -x /usr/local/sbin/chkdirs ] && prog="$prog
/usr/local/sbin/chkdirs"
       if [ "$prog" != "" ]; then
@@ -1080,7 +1080,7 @@
              STATUS=${INFECTED}
           fi;;
        FreeBSD)
-          [ $V -gt 50 ] && n=1 || n=2
+          [ $V -gt 500 ] && n=1 || n=2
           if [ `${strings} -a ${CMD} | \
                 ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
           then
@@ -1114,7 +1114,7 @@
              fi
           fi;;
        FreeBSD)
-          [ $V -gt 50 ] && n=1 || n=2
+          [ $V -gt 500 ] && n=1 || n=2
           if [ `${strings} -a ${CMD} | ${egrep} -c
"${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
              then
              STATUS=${INFECTED}
@@ -1145,10 +1145,10 @@
     ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"`
     if [ ${ret} -gt 0 ]; then
         case ${ret} in
-        1) [ "${SYSTEM}" = "OpenBSD" -a ${V} -le 27 -o ${V}
-ge 30 ] && \
+        1) [ "${SYSTEM}" = "OpenBSD" -a ${V} -le 207 -o
${V} -ge 300 ] && \
              STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
         2) [ "${SYSTEM}" = "FreeBSD"  -o ${SYSTEM} =
"NetBSD" -o ${SYSTEM} = \
-"OpenBSD" -a  ${V} -ge 28 ] && STATUS=${NOT_INFECTED} ||
STATUS=${INFECTED};;
+"OpenBSD" -a  ${V} -ge 208 ] && STATUS=${NOT_INFECTED} ||
STATUS=${INFECTED};;
 
         *) STATUS=${INFECTED};;
         esac
@@ -1622,7 +1622,7 @@
         expertmode_output "${ls} -l ${CMD}"
         return 5
     fi
-    [ "${SYSTEM}" = "FreeBSD" -a $V -gt 50 ] &&
+    [ "${SYSTEM}" = "FreeBSD" -a $V -gt 500 ] &&
     {
        if [ `${strings} -a ${CMD} | ${egrep}
"${GENERIC_ROOTKIT_LABEL}" | \
           ${egrep} -c "$S_L"` -ne 2 ]; then
@@ -2398,9 +2398,9 @@
 SYSTEM=`${uname} -s`
 VERSION=`${uname} -r`
 if [ "${SYSTEM}" != "FreeBSD" -a ${SYSTEM} !=
"OpenBSD" ] ; then
-   V=44
+   V=404
 else
-   V=`echo $VERSION | cut -d- -f 1 | ${sed} 's/\.//g'`
+   V=$(( `echo $VERSION | cut -d- -f 1 | ${sed} 's/\./ * 100 + /g'` ))
 fi
 
 # ps command

Better tools in this case: in this case, I'd say tripwire or one of
the work-alikes.  

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040521/ee4ee2ce/attachment.bin

Razor,

Download the source and recompile those binaries and see if chkrootkit
gives you the same 'INFECTED' messages.

Daniel M. Spielman



On Fri, 21 May 2004, RazorOnFreeBSD wrote:
> Hi,
>
> I have a 4.9-STABLE FreeBSD box apparently hacked!
> Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.
> Those are:
> chfn     ... INFECTED
> chsh    ... INFECTED
> date     ... INFECTED
> ls         ... INFECTED
> ps        ... INFECTED
>
> But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING
DELETED, or NOTHING DETECTED.
> I know by the FreeBSD-Security archives that chkrootkit isn't perfect
with FreeBSD versions 5.x
> But I'm not in that case. So I'm a little bit afraid and as a
newbie I don't really know what to do....
> I tried "truss ls" to find something strange and here are the
outputs with something... suspicious for me:
>
> ioctl(1,TIOCGETA,0xbfbff534)                        = 0 (0x0)
> ioctl(1,TIOCGWINSZ,0xbfbff5a8)                    = 0 (0x0)
> getuid()                                                        = 0 (0x0)
> readlink("etc/malloc.conf",0xbfbff490,63)        ERR#2 'No
such file or directory'         #SUSPICIOUS
> mmap(0x0,4096,0x3,0x1002,-1,0x0)              = 671666176 (0x2808d000)
> break(0x809b000)                                        = 0 (0x0)
> break(0x809c000)                                        = 0 (0x0)
> break(0x809d000)                                        = 0 (0x0)
> break(0x809e000)                                        = 0 (0x0)
>
...........................................................................................and
so on!
>
> And if I am an intrusion victim.... what can I do ? How can I restore those
files? and how can I find out how this cracker did to break my firewall? I mean
where is the security hole?
> PS: After verification on other commands declared not infected I found out
this ERR#2 is common.... maybe I have another problem here!
>
> Thanks everyone!
> razor.
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
>

Thanks a lot everyone I have enough to work on ;)
You were really helpfull and for sure those who will use the mailing list
search function will appreciate too!

razor

----- Original Message ----- 
From: "M. Boelen" <michael@computerpech.nl>
To: "RazorOnFreeBSD" <yann.luppo@attglobal.net>
Cc: <freebsd-security@freebsd.org>
Sent: Saturday, May 22, 2004 11:13 AM
Subject: Re: Hacked or not ?

> Hi,
>
> Someone else did already told you about Rootkit Hunter, but forget to
> say you can install it from the FreeBSD Ports collection
> (/usr/ports/security/rkhunter) ;-)
>
> (it's has been added this month, so a lot of FreeBSD users don't
know it
> yet)
>
> Michael Boelen
> Author of Rootkit Hunter
>
> >Hi,
> >
> >I have a 4.9-STABLE FreeBSD box apparently hacked!
> >Yesterday I ran chkrootkit-0.41 and I don't like some of the
outputs.
> >Those are:
> >chfn     ... INFECTED
> >chsh    ... INFECTED
> >date     ... INFECTED
> >ls         ... INFECTED
> >ps        ... INFECTED
> >
> >But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING
DELETED, or NOTHING DETECTED.
> >I know by the FreeBSD-Security archives that chkrootkit isn't
perfect
with FreeBSD versions 5.x
> >But I'm not in that case. So I'm a little bit afraid and as a
newbie I
don't really know what to do....
> >I tried "truss ls" to find something strange and here are the
outputs
with something... suspicious for me:
> >
> >ioctl(1,TIOCGETA,0xbfbff534)                        = 0 (0x0)
> >ioctl(1,TIOCGWINSZ,0xbfbff5a8)                    = 0 (0x0)
> >getuid()                                                        = 0
(0x0)
> >readlink("etc/malloc.conf",0xbfbff490,63)        ERR#2
'No such file or
directory'         #SUSPICIOUS
> >mmap(0x0,4096,0x3,0x1002,-1,0x0)              = 671666176 (0x2808d000)
> >break(0x809b000)                                        = 0 (0x0)
> >break(0x809c000)                                        = 0 (0x0)
> >break(0x809d000)                                        = 0 (0x0)
> >break(0x809e000)                                        = 0 (0x0)
>
>...........................................................................
................and so on!
> >
> >And if I am an intrusion victim.... what can I do ? How can I restore
those files? and how can I find out how this cracker did to break my
firewall? I mean where is the security hole?
> >PS: After verification on other commands declared not infected I found
out this ERR#2 is common.... maybe I have another problem
here!
> >
> >Thanks everyone!
> >razor.
> >_______________________________________________
> >freebsd-security@freebsd.org mailing list
> >http://lists.freebsd.org/mailman/listinfo/freebsd-security
> >To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
> >
> >
> >
>
>
> -- 
>
> This is my mailbox. There are many like it but this one is mine.
> My mailbox is my best friend. It is my life. I must master it as I
> master my life.
>
> My mailbox, without me is useless. Without my mailbox, I am useless.
> I must empty my mailbox true. I must clean him before he gets full.
> I will....
>

Hi,

Someone else did already told you about Rootkit Hunter, but forget to 
say you can install it from the FreeBSD Ports collection 
(/usr/ports/security/rkhunter) ;-)

(it's has been added this month, so a lot of FreeBSD users don't know it
yet)

Michael Boelen
Author of Rootkit Hunter
>Hi, 
>
>I have a 4.9-STABLE FreeBSD box apparently hacked!
>Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. 
>Those are:
>chfn     ... INFECTED
>chsh    ... INFECTED
>date     ... INFECTED
>ls         ... INFECTED
>ps        ... INFECTED
>
>But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING
DELETED, or NOTHING DETECTED.
>I know by the FreeBSD-Security archives that chkrootkit isn't perfect
with FreeBSD versions 5.x
>But I'm not in that case. So I'm a little bit afraid and as a newbie
I don't really know what to do....
>I tried "truss ls" to find something strange and here are the
outputs with something... suspicious for me:
>
>ioctl(1,TIOCGETA,0xbfbff534)                        = 0 (0x0)
>ioctl(1,TIOCGWINSZ,0xbfbff5a8)                    = 0 (0x0)
>getuid()                                                        = 0 (0x0)
>readlink("etc/malloc.conf",0xbfbff490,63)        ERR#2 'No
such file or directory'         #SUSPICIOUS
>mmap(0x0,4096,0x3,0x1002,-1,0x0)              = 671666176 (0x2808d000)
>break(0x809b000)                                        = 0 (0x0)
>break(0x809c000)                                        = 0 (0x0)
>break(0x809d000)                                        = 0 (0x0)
>break(0x809e000)                                        = 0 (0x0)
>...........................................................................................and
so on!
>
>And if I am an intrusion victim.... what can I do ? How can I restore those
files? and how can I find out how this cracker did to break my firewall? I mean
where is the security hole?
>PS: After verification on other commands declared not infected I found out
this ERR#2 is common.... maybe I have another problem here!
>
>Thanks everyone!
>razor.
>_______________________________________________
>freebsd-security@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
>
>  
>

-- 

This is my mailbox. There are many like it but this one is mine.
My mailbox is my best friend. It is my life. I must master it as I
master my life.

My mailbox, without me is useless. Without my mailbox, I am useless.
I must empty my mailbox true. I must clean him before he gets full.
I will....

Hi all,

please advice me - I was on holidays for one week. After return I found in
security mails from router (chkrootkit) following message:
Checking `lkm'... You have     1 process hidden for readdir command
You have     1 process hidden for ps command
Warning: Possible LKM Trojan installed

It apeared only onece. From previous and next days reports, the message is
not present.

How could I be sure, the machine is not hacked ?

Many thanks for any response.

Peter Rosa

I have seen this as well, it is most likely a false positive.
Additionally, slower or more heavily loaded machines seem more likely to
generate false positive for LKM.

As a side note, there really ought to be a way for admins to double check
the output from chkrootkit Google helps little. Any offers..?

Jon
> Hi all,
>
> please advice me - I was on holidays for one week. After return I found
in security mails from router (chkrootkit) following
message:
> Checking `lkm'... You have     1 process hidden for readdir command You
have     1 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> It apeared only onece. From previous and next days reports, the message
is not present.
>
> How could I be sure, the machine is not hacked ?
>
> Many thanks for any response.
>
> Peter Rosa
>
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe@freebsd.org"
>

On Sun, Jun 13, 2004 at 06:20:11PM +0000, Ondra Holecek
wrote:
> On Sunday 13 June 2004 16:17, Alexander Yeremenko wrote:
> > On Sat, Jun 12, 2004 at 05:50:35PM +0400, Alex Povolotsky wrote:
> > > On Sat, 12 Jun 2004 14:39:21 +0200
> > > "Peter Rosa" <prosa@pro.sk> wrote:
> > >
> > > PR> But what about the /var/log/messages logs absence ?
> > > PR> And, how to test the machine, if it is healthy ?
> > >
> > > Boot from CD and compare md5 checksums on system files.
That's the first
> > > step.
> >
> > 	I'm running a frequent script, evaluating md5 for binaries, libs
> > etc, and reports isn't something changed
> 
> But, what if hacker modifies this script to not report changes, or change
the
> original MD5 checksum
	This smart hacker must know about this script :)
-- 
AY7-UANIC  ||  AY15-RIPE