On Monday, February 07, 2011 10:21:18 am Nicolas Ross wrote: > mds5um has been tempered with also... It return those expected values, but > a md5sum programm I took elsewhere was returning another value... Once you've been hacked, you can't trust the core utilities (ls / md5sum/cd/etc) You can't trust the kernel interfaces that these core utilities use, nor can you reliably remove the kernel modules used to interfere with normal operations, since the interfaces within the kernel may themselves be cloaking the hackinstall kernel modules! The only way to deal with this scenario and get anything resembling a correct answer is to mount the drive in userspace, noexec on another, trusted system. If downtime is a concern you *might* be able to use dd and copy the disk partition to another drive in the middle of the night and then check out the drive offline - that would probably work fine. But realize that until you do this, you can have no trust whatsoever in that computer, change passwords, delete/change private SSH keys, etc. and anything you do from here on out will be forensics to: A) Determine just how far they got in (did they get access to other systems?) B) Figure out how to best transfer services to a new, updated system and update security so that the bad guys can't just walk back in with prior knowledge. BTW: you should basically NEVER run an EOL'd system, regardless of the O/S. An unpatched server is a pretty much a guaranteed hack incident waiting to happen. Good luck! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.