On Thu, Oct 18, 2007 at 01:04:38AM -0500, Joshua Isom wrote: > If a simple 'locate sploger' shows nothing(run `periodic weekly` which > will update your locate database assuming you're keeping things > relatively stock), then in all likelihood you've got an intruder. If > some of the other tips posted give no help, and you've got time on your > hands, try `grep -l sploger /` and you'll find all files with sploger > in it. If you've been broken into and they're being really tricky, it > won't work but odds are they aren't that bright if the process is still > in ps's output.
You might also (if you're in a little more of a hurry and taking the computer out of production for a little bit isn't a problem) boot from a LiveCD, mount all partitions from your hard drive so they're available from the LiveCD OS, then updatedb and locate sploger so you're using tools that haven't been compromised. Even if it's not actually quicker, it should *seem* quicker than using grep -- and if grep doesn't work, this is more likely to work. In the future, you may want to think about using some kind of integrity auditing tool to periodically check for unauthorized changes. Tripwire is the canonical integrity auditing tool, but you can also use mtree and even rsync for integrity auditing. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] They always say that when life gives you lemons you should make lemonade. I always wonder -- isn't the lemonade going to suck if life doesn't give you any sugar? _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"