[NCLUG] openssh

Sean Reifschneider jafo-nclug at tummy.com
Tue Jan 15 13:27:49 MST 2002


On Tue, Jan 15, 2002 at 09:46:23AM -0700, nclug wrote:
>We've seen a few "intrusions" lately on some of our client's machines
>also with similar hiddens.  Do you know of any good way to find all
>of the files and directories that have been hidden?

Well, that's kind of what tripwire is meant to do...  Also, on RPM-based
systems you can do "rpm -Va", which will check all the files it's installed
for modifications, as long as the rpm command and it's database haven't
been modified.

However, I usually consider a compromised machine suspect until it's been
re-installed.  We've run into a couple of situations where we did our best
to clean out compromised files, everything looked pretty straightforward
and easy to fix, and the attackers were back in within a few days, even
though the mechanisms that had been used to originally break in were
removed.

The fresh re-install and carefully moving over the old data files mechanism
always seems to work fine.

Sean
-- 
 Come see the violence inherent in the system!
 Help!  Help!  I'm being repressed!  -- Monty Python and the Holy Grail
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python



More information about the NCLUG mailing list