In response to "Brent" <[EMAIL PROTECTED]>:

> Hello,
> Im running several servers all ranging from FBSD 4.11 through the 5.4 release
> , patched of course. MY question is how do i check a system to see if has been
> compromised ? I have already run a current version "chkrootkit" & found 
> nothing.

You need to plan ahead and install Samhain (or equiv) on the machines _before_
they're deployed so you can detect unauthorized changes.

> The symptom im seeing is yesterday all of a sudden the root user was removed
> from the /etc/passwd file & Im not sure on how to track down what happened. I
> managed to recover from this. Are there any other tools that i can use to
> track down say who did what on the box? files that may have changed & time &
> dates...

Yeah, Samhain and its class of software.  Unfortunately, you have to have
it set up _before_ this happens in order for it to be useful.

-- 
Bill Moran
Collaborative Fusion Inc.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to