From owner-freebsd-questions@FreeBSD.ORG Wed Jun 28 12:40:39 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA32716A413 for ; Wed, 28 Jun 2006 12:40:39 +0000 (UTC) (envelope-from mrb@bmyster.com) Received: from loqtis.bmyster.com (ns1.bmyster.com [65.175.135.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6976744C5D for ; Wed, 28 Jun 2006 12:40:39 +0000 (GMT) (envelope-from mrb@bmyster.com) Received: from bmyster.com (localhost.bmyster.com [127.0.0.1]) by loqtis.bmyster.com (8.13.3/8.13.3) with ESMTP id k5SCeb7m007182 for ; Wed, 28 Jun 2006 08:40:37 -0400 (EDT) From: "Brent" To: questions@freebsd.org Date: Wed, 28 Jun 2006 08:40:31 -0400 Message-Id: <20060628122920.M72053@bmyster.com> X-Mailer: Open WebMail 2.51 20050228 X-OriginatingIP: 65.175.128.10 (mrb) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Cc: Subject: how to check for a compromised system X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jun 2006 12:40:40 -0000 Hello, Im running several servers all ranging from FBSD 4.11 through the 5.4 release , patched of course. MY question is how do i check a system to see if has been compromised ? I have already run a current version "chkrootkit" & found nothing. The symptom im seeing is yesterday all of a sudden the root user was removed from the /etc/passwd file & Im not sure on how to track down what happened. I managed to recover from this. Are there any other tools that i can use to track down say who did what on the box? files that may have changed & time & dates... any help is greatly appreciated -- Brent