LKM, by example, which hook syscalls, make the corrupted files nearly invisible on the compromised box...
You've to mount the hard drive on a sane box to check for md5sum
integrity (compare sane files with yours (md5sum). If it's a LKM, make a
little script to compare the modules you were using to the originals.
Pierre BETOUIN
Le mar 17/06/2003 à 17:33, Jan De Luyck a écrit :
> On Monday 16 June 2003 23:01, Matthew Sallee wrote:
> > recently my redhat box was compromised and i'm auditing changes that were
> > made (i didn't notice for several days).
> >
> > i've been trying to create a command that will allow me view all the files
> > modified in the last x number of days.
> >
> > i've tried piping ls to grep with minimal success. any help is greatly
> > appreciated...
>
> To find all modified files after date x: find / -mtime -x
>
> But since you can change that relatively easy, you might want to checkout
> tripwire, or any other IDS tool.
>
> Jan
--
Pierre BETOUIN
GnuPG key :
lynx -dump perso.club-internet.fr/unsignedchr/GnupgKey.asc | gpg
--import
signature.asc
Description: Ceci est une partie de message=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
