Re: redhat audit

["Douglas K. Fischer" <fischerdk () purefm net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 05:01 PM 6/16/2003, Matthew Sallee wrote:
> recently my redhat box was compromised and i'm auditing changes that were 
> made
> (i didn't notice for several days).
>
> i've been trying to create a command that will allow me view all the files
> modified in the last x number of days.
>
> i've tried piping ls to grep with minimal success. any help is greatly
> appreciated...

A. 'find' is your friend

B. Timestamps can be easily faked to hide activity, so I wouldn't put too 
much reliance on them to determine what has changed. You're better off 
using MD5 checksums (running Tripwire by any chance?). Best bet though is 
to reinstall RH and restore your files from a known good backup.

Good luck,

Doug 
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPu8STZ938qfSpraDEQL9kwCgw2Q3ADT1EPsGYFkCkj9iUZETgtMAoIVm
am3dTiuKxEiYchGBJBhn0Dlj
=hcaa
-----END PGP SIGNATURE-----


------------------------------------------------------------

This email, and any included attachments, have been checked
by Norton AntiVirus Corporate Edition (Version 8.0), AVG
Server Edition 6.0, and Merak Email Server Integrated
Antivirus (Alwil Software's aVast! engine) and is certified
Virus Free.

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------