Security Basics mailing list archives
Re: redhat audit
From: Ulrich Keil <ulrich () der-keiler de>
Date: Tue, 17 Jun 2003 17:32:40 +0200
On Mon, Jun 16, 2003 at 03:01:05PM -0600, Matthew Sallee wrote:
recently my redhat box was compromised and i'm auditing changes that were made (i didn't notice for several days). i've been trying to create a command that will allow me view all the files modified in the last x number of days. i've tried piping ls to grep with minimal success. any help is greatly appreciated... matt
Because any good attacker would install a root-kid on your machine, it is nearly impossible to detect modified files if the machine is running. Try to boot the box with a rescue linux system like knoppix: http://www.knoppix.org/ Then you have a chance to find out what has been done. Ulrich -- http://www.derkeiler.com PGP Fingerprint: 5FA4 4C01 8D92 A906 E831 CAF1 3F51 8F47 1233 9AAD Public key available at http://www.derkeiler.com/uk/pgp-key.asc
Attachment:
_bin
Description:
Current thread:
- Re: redhat audit, (continued)
- Re: redhat audit Benjamin A. Okopnik (Jun 17)
- Re: redhat audit Florian Streck (Jun 17)
- Re: redhat audit Rick Hale (Jun 17)
- Re: redhat audit Tim Greer (Jun 17)
- Re: redhat audit Devdas Bhagat (Jun 17)
- RE: redhat audit Shane Lahey (Jun 17)
- Re: redhat audit Steve Frank (Jun 17)
- Re: redhat audit Mike Pettinicchio (Jun 17)
- Re: redhat audit exon (Jun 17)
- Re: redhat audit Douglas K. Fischer (Jun 17)
- Re: redhat audit Ulrich Keil (Jun 17)
- Re: redhat audit Luigi R. F. McMinn (Jun 17)
- Re: redhat audit Jan De Luyck (Jun 17)
- Re: redhat audit Pierre BETOUIN (Jun 17)
- Re: redhat audit Mark Ng (Jun 17)
- Re: redhat audit Volker Kindermann (Jun 17)
- RE: redhat audit Duane Beck (Jun 17)
- Re: redhat audit Tace (Jun 17)
- RE: redhat audit Klotz, Brian (Jun 17)
- Re: redhat audit Andrew Pretzl (Jun 17)
- RE: redhat audit Trevor Cushen (Jun 19)