I'm no expert. I run chkrootkit on a regular basis. Run a virus scanner it will find some exploits. Hacafee found a few rootkits and known kernel exploits. I use mcafee for linux. Analyze history files for certain keywords. The best way would be to analyze command frequency in history files and look for infrequently occuring commands that are good indications of hack attempts. Look at anyone running command: uname -a
Install grsecurity, and laugh at the attempts to do buffer overruns. Enable grsecurity acl subsystem and continue laughing. Analyze login frequency, what country are they logging in from? Have they logged in from this address before? Analyze login time, 2-6am is when most exploits occur. Look at tripwire or sash logs. (still use tripwire have not learned how to use sash) Look at when root logins. Check for processes initiating outgoing connections, hackers love to wget their files. Check for process using a lot of memory or processor time. Jason Lim said: > >> >> One of my hats is a junior sys admin in an academic environment. I'm >> curious as to how you know when shell users are trying to exploit a > kernel >> hole. > > chkrootkit? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- --Luke CS Sysadmin, Montana State University-Bozeman
