"Brian T. Schellenberger" wrote:
>
> If that's the case, then why does the report say that there's a
> *difference* in the suid root files? Why does it claim that all of
> those are *changed*? It doesn't merely claim that they *are* suid root;
> it claims that they *changed*.
My apologies. You are correct.
One of the lovely advantages of having two logical partitions set up
with the same Linux is that now the victim could actually compare all
those files with the virgin copies using diff or md5sum to ascertain
whether the files have actually been changed or whether msec's record
of things got corrupted (msec is on its first release, remember, and
hiccups can be expected).
I'm sceptical that he in fact was hacked - why would the hacker make
that odd set of partial changes? - and would look for alternative
possibilities, including a hardware hiccup.
--
Regards,
Ron. [AU] - sent by Linux.
