On Mon, Jun 16, 2003 at 03:01:05PM -0600, Matthew Sallee wrote: > recently my redhat box was compromised and i'm auditing changes that were made > (i didn't notice for several days). > > i've been trying to create a command that will allow me view all the files > modified in the last x number of days. > > i've tried piping ls to grep with minimal success. any help is greatly > appreciated... > > matt
Because any good attacker would install a root-kid on your machine, it is nearly impossible to detect modified files if the machine is running. Try to boot the box with a rescue linux system like knoppix: http://www.knoppix.org/ Then you have a chance to find out what has been done. Ulrich -- http://www.derkeiler.com PGP Fingerprint: 5FA4 4C01 8D92 A906 E831 CAF1 3F51 8F47 1233 9AAD Public key available at http://www.derkeiler.com/uk/pgp-key.asc
pgp00000.pgp
Description: PGP signature
