If you think its not only paranoia thank check this url 4 forensic analysis.
Is it a question of paranoia? Are there no ways to ensure that the system is clean while keeping it alive?
You'll destroy attackers marks.
In evidence.txt they checked the md5sums of the installed packages. Which database do they use as reference?
the original database of the attacked machine rpm -V -a --root=`pwd`/mnt/ | grep ^..5 When I check all binaries as recently described, there is
still the possibility, that the rpm-database is corrupted itself, isn't it?
Yep
Or is the result, that the md5sums of all the binaries were ok sufficient to declare this system being clean?
Nope --ö-- But,Me meant the ways to examine yours system 4 attackes marks, e.g. grabbing the whole drive via >dd /dev/hdX | grep "part of date" as shown in the document. Read the whole doc to see all possibilities. And examine the files as ps/ifconfig/lsof 2. E.g. you can use /proc to seek suspicous processes, if not any kernel-modules are injected. Michael Appeldorn