i seem to remember freebsd having a nightly cronjob script that would save the md5sum of every file on the system to a file.. and then compare it with the md5sum of the same file that it generated 24 hours before. differences were mailed to root.. i always thought this to be a good idea, perhaps you could implement it yourself? seems like a simple shell script.
It's run by periodic daily in /etc/crontab. It actually just checks for changes in setuid files in the system. The script that does the actual checking is /etc/periodic/security/100.chksetuid.
anyway, that solution doesnt work well in your current situation. do you have
another box w/ the same updates, that you know is clean? you could compare md5's from that one...
Setting up an MD5 checker is a good idea for the paranoid. Since it isn't exactly common practice, most root kits wouldn't be able to mess with your checksum repository because they don't know about it. Of course, you'll need to do this on a known-good system.
For the original poster, I've dealt with compromised boxes before. Generally, when a group of similar systems are rooted at or about the same time it's done by the same person using the same root kit. This means, that you'll have the same fingerprint on all the machines, so look for whatever it was that tipped you off that your first machine had been rooted on the other machines.
Alternatively, there are tools to check for the most commonly used root kits. You should be able to find links to some on Google.
_______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
