RE: redhat audit

[Duane Beck <DBeck () legendent com>]

> recently my redhat box was compromised and i'm auditing 
> changes that were made 
> (i didn't notice for several days).
>
> i've been trying to create a command that will allow me view 
> all the files 
> modified in the last x number of days.
>
> i've tried piping ls to grep with minimal success. any help 
> is greatly 
> appreciated...

I believe "find / -mtime x" will do what you want.  "man find" for more
options.  Note that modification time is not necessarily a good indicator of
files that have been changed when a system has been compromised, if the
attacker has covered his/her tracks.  Depending on the changes they made,
you may not be able to easily find them without mounting the drive read-only
on a known-good system.

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------