> I've got a box that someone put a "toolz" kit on yesterday.  Any ideas on 
> how to cleanse the beast?

I know this is not the answer you want to hear, but the answer is to
backup the old system and reinstall.  While you are contemplating
how much of a nuisance this is and how much you don't want to do it,
consider the following common things that script kiddies often do
when takin gover a system:

  o  Install trojanized versions of netstat that will not show the
     ports on which the backdoors they install are listening.

  o  Install Kernel modules to hide ports from view in the "/proc"
     filesystem, so that nothing, not even netstat, will show
     the ports on which backdoors listen.

  o  Install trojanized versions of 'ls' to hide specific files
     from view.

  o  Install kernel modules to hide files and directories from
     view.

  o  Install kernel modules to hide specific processes from view.

  o  Install kernel modules that cause 'exec' calls to specific
     files to be diverted to other files.  This way, tools like
     tripwire can open the original versions of these files and
     see the expected checksums for them, but when executed,
     another file is designated to be loaded into memory, instead.

  o  Install kernel modules to hide the presence of other kernel
     modules.

Note that every one of these techniques has been seen in the wild.
Not one is in any sense purely a theoretical concern.  Are you really
sure you can defeat all the incarnations of each of these approaches
to securing a foothold on your system?

None of us likes reinstalling systems, but there are reasons why
people in the security business will advise you to do so, when you
think a system has been compromised.

Adrian