If you are worried about unauthorized access to a Linux/ Unix system, try tripwire - it digitally signs all system files and checks for changes on a regular basis. Of course if you are rooted tripwire may be compromised too, so it is also a good thing to send your system logs to a second Unix system - that really makes it hard for intruders to cover their tracks.
Regards, Greg King Cell: 403 850-1440 Email: [EMAIL PROTECTED] > Message: 9 > Date: Tue, 31 Aug 2004 21:04:41 -0600 > From: Andrew Graupe <[EMAIL PROTECTED]> > Subject: Re: [clug-talk] Log Activity > To: CLUG General <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; format=flowed; charset=ISO-8859-1 > > Peter Pankonin wrote: > > >On Tuesday 31 August 2004 06:51 pm, Matthew Kent wrote: > > > > > >>>I don't *think* anyone has broken in yet, but I can't be sure. > >>> > >>> > > > >As root, type "last" (without the quotes). Of course good hackers will > have > >covered their tracks and cleaned up after themselves... > > > >From "man last": > > > >Last searches back through the file /var/log/wtmp (or the file desig- > > nated by the -f flag) and displays a list of all users logged in > (and > > out) since that file was created. > > > > > > > > > >>I've never done it before, but I believe there are some standard kits to > >>check for signs of a rooting. > >> > >> > > > >chkrootkit, http://www.chkrootkit.org/ > > > > > > > I've heard that it is only possible to be really sure if you have a > guaranteed clean copy of the basic UNIX utilities, because skilled > hackers will replace some of the utilities chkrootkit uses with hacked > copies that will cover their actions. Any suggestions on how to do this? _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
