Security Basics mailing list archives
Re: redhat audit
From: Pierre BETOUIN <info16 () ifrance com>
Date: 17 Jun 2003 23:09:19 +0200
LKM, by example, which hook syscalls, make the corrupted files nearly invisible on the compromised box... You've to mount the hard drive on a sane box to check for md5sum integrity (compare sane files with yours (md5sum). If it's a LKM, make a little script to compare the modules you were using to the originals. Pierre BETOUIN Le mar 17/06/2003 à 17:33, Jan De Luyck a écrit :
On Monday 16 June 2003 23:01, Matthew Sallee wrote:recently my redhat box was compromised and i'm auditing changes that were made (i didn't notice for several days). i've been trying to create a command that will allow me view all the files modified in the last x number of days. i've tried piping ls to grep with minimal success. any help is greatly appreciated...To find all modified files after date x: find / -mtime -x But since you can change that relatively easy, you might want to checkout tripwire, or any other IDS tool. Jan
-- Pierre BETOUIN GnuPG key : lynx -dump perso.club-internet.fr/unsignedchr/GnupgKey.asc | gpg --import
Attachment:
signature.asc
Description: Ceci est une partie de message numériquement signée
Current thread:
- Re: redhat audit, (continued)
- Re: redhat audit Tim Greer (Jun 17)
- Re: redhat audit Devdas Bhagat (Jun 17)
- RE: redhat audit Shane Lahey (Jun 17)
- Re: redhat audit Steve Frank (Jun 17)
- Re: redhat audit Mike Pettinicchio (Jun 17)
- Re: redhat audit exon (Jun 17)
- Re: redhat audit Douglas K. Fischer (Jun 17)
- Re: redhat audit Ulrich Keil (Jun 17)
- Re: redhat audit Luigi R. F. McMinn (Jun 17)
- Re: redhat audit Jan De Luyck (Jun 17)
- Re: redhat audit Pierre BETOUIN (Jun 17)
- Re: redhat audit Mark Ng (Jun 17)
- Re: redhat audit Volker Kindermann (Jun 17)
- RE: redhat audit Duane Beck (Jun 17)
- Re: redhat audit Tace (Jun 17)
- RE: redhat audit Klotz, Brian (Jun 17)
- Re: redhat audit Andrew Pretzl (Jun 17)
- RE: redhat audit Trevor Cushen (Jun 19)