Machine compromised, now have ports opened
Hi all, several of my home machines (all run Fedora Core 3) have been hacked and I want to know what to do to get rid of all the malicious things left behind. I believe it is because one of the user has a weak password and the hacker entered that account then run a bunch of ssh port scan and probably many other things. I have disabled that useraccount, kill all his processes, change rootpw and run chkrootkit on the machine and it reports some problems still around. The machine is now offline.
Basically I need your guidance in recover from this without complete reinstall. Thanks in advance.
... sniplet of the report from chkrootkit ,
Checking `bindshell'... INFECTED (PORTS: 4000)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3460 tty4 /sbin/mingetty tty4
! root 3462 tty5 /sbin/mingetty tty5
! root 3464 tty6 /sbin/mingetty tty6
chkutmp: nothing deleted