Date: Wed, 28 Jun 2006 09:42:06 -0400 From: Chuck Swiger <cswiger@mac.com> To: Brent <mrb@bmyster.com> Cc: questions@freebsd.org Subject: Re: how to check for a compromised system Message-ID: <44A2872E.8000500@mac.com> In-Reply-To: <20060628122920.M72053@bmyster.com> References: <20060628122920.M72053@bmyster.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brent wrote: > Hello, > Im running several servers all ranging from FBSD 4.11 through the 5.4 release > , patched of course. MY question is how do i check a system to see if has been > compromised ? I have already run a current version "chkrootkit" & found nothing. There isn't a simple answer to that, but start with looking under /var/log and at the output of `last`. You might consider running tcpdump -o _file_ for a day or so and review it for illicit traffic. > The symptom im seeing is yesterday all of a sudden the root user was removed > from the /etc/passwd file & Im not sure on how to track down what happened. I > managed to recover from this. Are there any other tools that i can use to > track down say who did what on the box? files that may have changed & time & > dates... find / -mtime 2 ...would probably be a good starting point. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44A2872E.8000500>