James wrote:

> Now CERT usually reccommends that you compare the system against known
> media. How exactly is this done? I have the distribution on CD, and

md5sum might be the easiest to use. You get checksums to compare.

> have superuser access to the system. My thought was that I'd print the
> output of the script, go to the server room and pull the server down
> into single user mode, mount the CD, and (hopefully I could then) do a
> long listing of the sh binary to see what the actual size was.

naah. The size is no secure indicator. You can always pad up a file to give
it the proper size ;-). You know chkrootkit?

> Problem2: If there is a trojan in the system, what is the most
> effective step by step way to reload the original binaries? I dont
> necessarily want to reinstall the OS, and all backups are now suspect.

???
If you are sure you are compromised you should first secure every evidence
for possible later investigation, try to find out how it was done (else you
might end up with the same problem half a day later), then do a reinstall.
No way to gurantee a clean system otherwise.

> What do I do?

Tell your honey you'll be doing overtime ;-)

--
"as appealing as it might seem, it is impossible to patch or upgrade users"
<Security Warrior>