I have spent a few days looking around AntiOnline and find it has some really great resources. What brings be here is the plight of one of my servers. Some craftly little hacker managed to get root and then installed a loadable kernel module that allowed him to hide processes from the system. He hid two of them one called updatefs (not sure what that one did) and the other was a slave for a distributed denial of service attack.

I have since recompiled the kernel to disable LKMs and what I found was that he had all of his binaries in a hidden directory named /usr/lib/ypx and updatefs was a hidden file in /usr/sbin/. I have burned the system down and rebuilt it anew but I am wondering two things:

1) If anyone has had similar problems and how they have delt with it.

2) What can you do to protect yourself from this type of things? I am leaning towards never using LKMs again.

Thanks!

Dave