[WBEL-users] ROOTKIT checking software
Plant, Dean
dean.plant@roke.co.uk
Fri, 12 Nov 2004 09:13:17 -0000
Denis Croombs wrote:
> I have found some of my customers systems have had the root password
> changed remotely by an ex-employee, I know I can go do a rescue CD
> boot and change the root password to something I know BUT I have a
> few questions.
>
> 1) What files record when root last loged in and from what IP address
> ? 2) What file record any other activity by the same person ?
> 3) What log files should be kept for handing over to the police ?
> (we have informed them and they are sending someone tomorrow)
>
> 4) What else should I be doing ?
Good Details Here.
>From the CERT website:
CERT(r) Coordination Center
Steps for Recovering from a UNIX or NT System Compromise
http://www.cert.org/tech_tips/root_compromise.html
Good luck.
Dean.