> Backup all data that you know for certain is still safe, wipe the disk entirely, > and do a clean reinstall. If the box was rooted, there is no way to determine > the extent of the intrusion, and therefore any attempts to replace solely the > compromised aspects of the system would be irrelevant. Also check any scripts before restoring. You may find a user or root .login/.profile or similar in the /home area people habitually restore without checking contains hooks to reinstall any trojans. If you are paranoid remove the execute bits from everything you restore too. Alan
