> Last week I uncovered a RedHat box that had been rooted (fortunately it > had only recently been installed and nothing important was on it.) > Rather than me having to go through a hands-on intensive process of > analyzing every other Linux system on the LAN are there tools that I can > use to determine whether or not this SOB got into other systems? > > Any pointers to where I can learn more about the different types of > rootkits and how to counter or detect them are also welcome. > > Thanks! > --
i seem to remember freebsd having a nightly cronjob script that would save the md5sum of every file on the system to a file.. and then compare it with the md5sum of the same file that it generated 24 hours before. differences were mailed to root.. i always thought this to be a good idea, perhaps you could implement it yourself? seems like a simple shell script. anyway, that solution doesnt work well in your current situation. do you have another box w/ the same updates, that you know is clean? you could compare md5's from that one... HTH, -tom > Dan Coutu > Managing Director > Snowy Owl Internet Consulting, LLC > http://www.snowy-owl.com/ > > > _______________________________________________ > gnhlug-discuss mailing list > [EMAIL PROTECTED] > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss