Date: Sat, 12 Jun 2004 13:03:07 +0000 From: Thordur Ivar <thib@mi.is> To: freebsd-security@freebsd.org Subject: Re: Hacked or not appendice Message-ID: <20040612130307.2c4483cb.thib@mi.is> In-Reply-To: <019101c45072$a8b9cfe0$3501a8c0@pro.sk> References: <019101c45072$a8b9cfe0$3501a8c0@pro.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
I have on a CD a number of binarys ( sources actually ) ( e.g. ls, find, grep, awk, sed, locate e.t.c. ) and when I belive that a machine has been cracked I remove the network cable from that machine and mount the cdrom build the sources and start looking. If I need something in that process I put it on my USB memstick from a 'trusted machine' and move it by hand over. Roughly speaking this is my process. >On Sat, 12 Jun 2004 13:44:45 +0200 >"Peter Rosa" <prosa@pro.sk> wrote: > Hi all again, > > I must add, there are no log entries after June 9, 2004. "LKM" message first > apeared June 8, 2004, after this day, there is nothing in /var/messages, > /var/security ..... > > How could I look for suspicious LKM module ? How could I find it, if the > machine is hacked and I can not believe "ls", "find" etc. commands ? > > Peter Rosa > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040612130307.2c4483cb.thib>