Hi all!

I'm pretty sure my linux box (RH7.1) has been compromised, and I'm writing this as I'm trying to pull down 1.1GB of data off of it before it gets smoked...

I logged on this weekend to check something or other, and noticed that someone was on the same time as me... 1st indication something was not right... Then my history was smoked, and my lastlogin info... D@mmit... Tried to run chkrootkit, and it would just hang at checking "aliens", and go no further... Nuther bad sign...

Then tonight I found a sh.zk.cgi in my cgi-bin while doing a:
find / -user root -perm -4000 -print
Don't know what the h*ll that is...
(Should I rm it, or leave it til I get my files off??? I don't want p!ss off whoever has as much control over my box as me... Doesn't that suck...)


Double d@mmit...

Okay, so now that I've told my sob story, and am preparing to have this box reloaded, what should I be looking for to find out what happened??? chkrootkit made it through all the file checks saying all the binaries were clean, and my logs appear clean (or maybe have been cleaned)... I know I'll not be able to hunt the guy who did this, but I sure would like to know where my vulnerablities are... Is there some other chrootkit type app that might run when chkrootkit wont???

I know, first time poster, tons of questions... Sorry... (But you guys know everything, right??? )

James...