On Tue, 20 Nov 2001, macky wrote:
> can anyone tell me the most common steps to be taken to know if someone has
> taken over your system?
> definitely first thing to look at is the LOGS.. am i right? :)
>
Some additional clues that may help you detect intrusions:
1) examine logs (/var files)
2) use 'last' to list user access though this is related to 1)
3) changes in the root $PATH
4) suspicious /tmp files
5) substitution of commonly used commands (like ls may now be pointing
to a trojan ls)
6) look for newly installed files using 'find'
7) use netstat to detect ESTABLISHED connections and close those
vulnerable ports
rowel
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]