On 31/10/03 18:38 +0530, Tushar Burman wrote: <snip>
But seriously, as I mentioned in the mail, I'd like to get to the bottom of the problem; If I don't have a reason why it's happening, I don't have a reason why it won't happen again.
Are you up to date on all patches? IIRC, RH support for 7.2 has expired, or is about to. So you might have to roll your own versions. Are you running any non RH supplied software? Perhaps a CGI script?
The other suggestions of adding -x to the rc.sysinit script or disabling networking sound more reasonable to me.
You are making the fundamental mistake of assuming that chrootkit can detect everything. How do you know that your kernel has not got an LKM which hides the process information? Once the attacker gains full administrative privileges, you are toast.
And replies to the list only, please. Devdas Bhagat