From owner-freebsd-questions@FreeBSD.ORG Wed Jun 28 12:57:58 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 385F716A40B for ; Wed, 28 Jun 2006 12:57:58 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id C897243D5E for ; Wed, 28 Jun 2006 12:57:52 +0000 (GMT) (envelope-from wmoran@collaborativefusion.com) Received: from collaborativefusion.com (mx01.pub.collaborativefusion.com [206.210.89.201]) (TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 28 Jun 2006 08:57:51 -0400 id 00056410.44A27CCF.00001F12 Received: from Internal Mail-Server (206.210.89.202) by mx01 (envelope-from wmoran@collaborativefusion.com) with AES256-SHA encrypted SMTP; 28 Jun 2006 08:48:22 -0400 Date: Wed, 28 Jun 2006 08:57:51 -0400 From: Bill Moran To: "Brent" Message-Id: <20060628085751.850e7944.wmoran@collaborativefusion.com> In-Reply-To: <20060628122920.M72053@bmyster.com> References: <20060628122920.M72053@bmyster.com> Organization: Collaborative Fusion X-Mailer: Sylpheed version 2.2.6 (GTK+ 2.8.19; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: questions@freebsd.org Subject: Re: how to check for a compromised system X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jun 2006 12:57:58 -0000 In response to "Brent" : > Hello, > Im running several servers all ranging from FBSD 4.11 through the 5.4 release > , patched of course. MY question is how do i check a system to see if has been > compromised ? I have already run a current version "chkrootkit" & found nothing. You need to plan ahead and install Samhain (or equiv) on the machines _before_ they're deployed so you can detect unauthorized changes. > The symptom im seeing is yesterday all of a sudden the root user was removed > from the /etc/passwd file & Im not sure on how to track down what happened. I > managed to recover from this. Are there any other tools that i can use to > track down say who did what on the box? files that may have changed & time & > dates... Yeah, Samhain and its class of software. Unfortunately, you have to have it set up _before_ this happens in order for it to be useful. -- Bill Moran Collaborative Fusion Inc.