On Wed, Aug 09, 2006 at 02:09:54PM +1200, Steve Holdoway wrote: > On Wed, 09 Aug 2006 03:01:26 +0100 > Jim Cheetham <[EMAIL PROTECTED]> wrote: > > > On Wed, Aug 09, 2006 at 01:17:11PM +1200, Phill Coxon wrote: > > > ** Is there any way to monitor a file and log which processes or scripts > > > access and / or modify it? > > > > Under Solaris 10 or some BSDs you could run dtrace ... but under Linux > > I'm not aware of anything that would operate like that. You could > > examine any running process using point-in-time tools like lsof and > > strace, but that won't help you very much. > > > http://blogs.sun.com/roller/page/ahl?entry=dtrace_for_linux - not easy, but > possible!
Well, it's not really Linux if it's running brandz :-) as that's emulating the kernel for you. But it's still your environment (i.e. everything from the init process down) so it would work. However, the only real response to a compromised system is a complete reinstall from known-good media, and a very careful scan of user data that needs to be restored. Both sound slightly out of scope for the OP at the moment.
