Date: Wed, 28 Jun 2006 08:57:33 -0400 From: Lee Capps <lcapps@cteresource.org> To: Brent <mrb@bmyster.com> Cc: questions@freebsd.org Subject: Re: how to check for a compromised system Message-ID: <20060628125732.GB7829@hank.cteresource.org> In-Reply-To: <20060628122920.M72053@bmyster.com> References: <20060628122920.M72053@bmyster.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 08:40 Wed 28 Jun 2006, Brent wrote: > The symptom im seeing is yesterday all of a sudden the root user was removed > from the /etc/passwd file & Im not sure on how to track down what happened. I > managed to recover from this. Are there any other tools that i can use to > track down say who did what on the box? files that may have changed & time & > dates... There's another root kit search tool I've used called rkhunter. It's in ports. Have you rebooted the machine? Sorry if this is obvious, but if not, you could look for suspicous processes. 'Course, if you've been rooted, you can't trust any of your binaries, including 'ps.' What services was the machines running? Maybe you could check the modification time on /etc/passwd and look around that time in the apache (or whatever) log files? The one time I've dealt with a system compromise, I was able to track down what happened by loooking at the apache log files (they got in using a php exploit). But I caught it fairly quickly, and they never got root. Probably some others here are wiser and more experienced than I. HTH, Lee -- Lee Capps Technology Specialist CTE Resource Center
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060628125732.GB7829>