Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Rex Monty di Bona (rexcomsmiths.com.au)
Date: Tue Mar 26 2002 - 13:31:36 CST
Mike P wrote:
> In-Reply-To: <15519.31424.834354.758874gargle.gargle.HOWL>
> I would search for root kits first. Try
> http://www.chkrootkit.org/. Hopefully, you run tripwire
> or something like it.
Even if you don't run tripwire you can do a basic tripwite
test against another machine. Build a data base against a
machine running same OS release/patches that doesn't include
time stamps or inode number, so record owners, sizes, perms,
checksums, number of links and compare this to the affected
machine (booted from alternate media in both cases incase
the libraries are corrupted on the questionable machine).
There will probably be lots of false alerts depending on
additional packages installed, so it takes a while to read
the output. But, it does tell you if the machine is clean
The other choice is to use the sunsolve fingerprint database
and check things like inetd, csmd, etc. I'd probably do this
to thinks that looked doubtful from a tripwire scan.