[WBEL-users] ROOTKIT checking software
Denis Croombs
denis@just-servers.co.uk
Thu, 11 Nov 2004 19:15:34 -0000
I have found some of my customers systems have had the root password changed
remotely by an ex-employee, I know I can go do a rescue CD boot and change
the root password to something I know BUT I have a few questions.
1) What files record when root last loged in and from what IP address ?
2) What file record any other activity by the same person ?
3) What log files should be kept for handing over to the police ?
(we have informed them and they are sending someone tomorrow)
4) What else should I be doing ?
All help would be very helpful
(I think I know the answer to most of the above must I MUST do a sanity
check ! ) I just do not want to miss anything.
Regards
Denis
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.788 / Virus Database: 533 - Release Date: 01/11/2004
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Marvin the E-Mail scanner