[WBEL-users] ROOTKIT checking software
Conor Wynne
weeboy@conorwynne.com
Thu, 11 Nov 2004 19:28:12 +0000
--=-MBdwm2GjN8ttNSfWwkNr
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Thu, 2004-11-11 at 19:15, Denis Croombs wrote:
> I have found some of my customers systems have had the root password chan=
ged
> remotely by an ex-employee, I know I can go do a rescue CD boot and chang=
e
> the root password to something I know BUT I have a few questions.
>=20
> 1) What files record when root last loged in and from what IP address ?
> 2) What file record any other activity by the same person ?
> 3) What log files should be kept for handing over to the police ?
> (we have informed them and they are sending someone tomorrow)
Try "last", this will show you the last logins from wherever.=20
e.g.:
root pts/1 snowwhite.conorw Thu Nov 11 19:25 still logged in
root pts/0 213.94.228.209 Thu Nov 11 10:27 - 14:36 (04:09)
root pts/1 213.94.228.209 Thu Nov 11 08:54 - 08:55 (00:00)
> 4) What else should I be doing ?
Run "chkrootkit" - google for it.=20
Tar up /var/log for reference. Maybe get a snapshot of the entire system
for offline analysis.
> All help would be very helpful=20
> (I think I know the answer to most of the above must I MUST do a sanity
> check ! ) I just do not want to miss anything.
>=20
> Regards
>=20
> Denis
--=20
Conor Wynne
Dublin,
Irlande.
GPG Key: http://www.conorwynne.com/gpg-key
--=-MBdwm2GjN8ttNSfWwkNr
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQBBk71MTlURc8L++sIRAseyAKC3bxeND98pJibgzUmlhhabTqvFqwCeJFlN
QLucin2n8dfYM9uCpElnnJw=
=eItz
-----END PGP SIGNATURE-----
--=-MBdwm2GjN8ttNSfWwkNr--