tripwire failed???

[anthony () synt3gra com]

I have discovered that my server has been compromised.  I believe it's
some sort of rootkit.  It has managed to circumvent both rkhunter and
tripwire.  The only reason I detected it is because I happened to run a
'ps' command when server was slow and noticed a connection from an
unwarranted user. I then 'netstat'ed.  Apparently, the attacker(s) is
utilizing a program that obfuscates their presence in the usual logging
areas as well.  I just "happened" to catch them.  'ps -aux' showed that an
UNKNOWN user was utilizing sshd.  I was able to parse output to a file for
further viewing. I would post 'log-files' but they show now indication of
compromise (s fr s I can tell)

I know that there are a plethora of rootkits in cirulation, but does
anyone know how I might detect/remove such  rootkit?  I hate to have to
reload OS/tripwire/rkhunter/reload permissions... start over.

Any other tools I should be utilizing?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------