Brent wrote:
Hello, Im running several servers all ranging from FBSD 4.11 through the 5.4 release , patched of course. MY question is how do i check a system to see if has been compromised ? I have already run a current version "chkrootkit" & found nothing.
There isn't a simple answer to that, but start with looking under /var/log and at the output of `last`. You might consider running tcpdump -o _file_ for a day or so and review it for illicit traffic.
The symptom im seeing is yesterday all of a sudden the root user was removed from the /etc/passwd file & Im not sure on how to track down what happened. I managed to recover from this. Are there any other tools that i can use to track down say who did what on the box? files that may have changed & time & dates...
find / -mtime 2 ...would probably be a good starting point. -- -Chuck _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
