You should probably do some reading in the security forum, but basically, you can't trust this machine. If I were in your shoes, I would have a good, long look at what Tripwire has flagged as changed. Look for software and/or directories that you know you haven't been messing with. Also have a look at the outputs of lsof -i, and netstat -pantu for listening processes that are things you don't normally run. Running nmap might not be a bad idea either. The problem with these is that if your system has been seriously compromised, you can't necessarily trust them if they don't show anything out of the ordinary. I would also boot from a live CD distro like Knoppix and run chkrootkit and rkhunter. Also have a look in your system logs for anything out of the ordinary. Running last to see who has logged in might be useful, but again, that command may have been compromised.
I would also suggest that simply re-installing ntp is not the way to go. If they gained access to your box through an ntp exploit, I seriously doubt that ntp is the only thing that was compromised. If any hunting finds additional issues, your going to need to nuke the disk and re-install from a trusted source. I would also ask a moderator to move this to the Security forum. You'll get a lot more good advice there than in Network.
And I almost forgot the most important thing....Unplug the network card. Take this box off the network until you can figure out what has, or has not, happened.
Last edited by Hangdog42; 05-08-2005 at 02:52 PM.