Security Basics mailing list archives

Re: redhat audit

From: Ulrich Keil <ulrich () der-keiler de>
Date: Tue, 17 Jun 2003 17:32:40 +0200

On Mon, Jun 16, 2003 at 03:01:05PM -0600, Matthew Sallee wrote:

recently my redhat box was compromised and i'm auditing changes that were made 
(i didn't notice for several days).

i've been trying to create a command that will allow me view all the files 
modified in the last x number of days.

i've tried piping ls to grep with minimal success. any help is greatly 
appreciated...

matt


Because any good attacker would install a root-kid on your machine, it
is nearly impossible to detect modified files if the machine is
running.

Try to boot the box with a rescue linux system like knoppix:

http://www.knoppix.org/

Then you have a chance to find out what has been done.

Ulrich
-- 
http://www.derkeiler.com
PGP Fingerprint: 5FA4 4C01 8D92 A906 E831  CAF1 3F51 8F47 1233 9AAD
Public key available at http://www.derkeiler.com/uk/pgp-key.asc

Attachment: _bin
Description:

Current thread:

Re: redhat audit, (continued)
- Re: redhat audit Benjamin A. Okopnik (Jun 17)
- Re: redhat audit Florian Streck (Jun 17)
- Re: redhat audit Rick Hale (Jun 17)
- Re: redhat audit Tim Greer (Jun 17)
- Re: redhat audit Devdas Bhagat (Jun 17)
- RE: redhat audit Shane Lahey (Jun 17)
- Re: redhat audit Steve Frank (Jun 17)
- Re: redhat audit Mike Pettinicchio (Jun 17)
- Re: redhat audit exon (Jun 17)
- Re: redhat audit Douglas K. Fischer (Jun 17)
- Re: redhat audit Ulrich Keil (Jun 17)
- Re: redhat audit Luigi R. F. McMinn (Jun 17)
- Re: redhat audit Jan De Luyck (Jun 17)
  - Re: redhat audit Pierre BETOUIN (Jun 17)
- Re: redhat audit Mark Ng (Jun 17)
- Re: redhat audit Volker Kindermann (Jun 17)
- RE: redhat audit Duane Beck (Jun 17)
- Re: redhat audit Tace (Jun 17)
- RE: redhat audit Klotz, Brian (Jun 17)
- Re: redhat audit Andrew Pretzl (Jun 17)
- RE: redhat audit Trevor Cushen (Jun 19)