On Thu, Mar 3, 2011 at 8:44 PM, Steven Miano <[email protected]> wrote:
> Did they clear out their history? > > /home/user/.bash_history would seemingly be a pretty good place to start. > Also you could check out their username in /var/log, and see all instances > of what they might have done.... > > .bash_history will not tell you what change was made exactly. It will tell you which file was opened.But inside that file what was modified it wont tell you. I am looking not only to track the exact change which might be in a location other than etc also if some kind of script or .so file or some thing similar was added. One way I understand is do an ls on / and store the result in a file and then after the changes have been done where some files are delete again do an ls on / (root) and compare the results to what files are added or deleted.
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
