How to detect invasions?
steve at horne.homelinux.net
steve at horne.homelinux.net
Fri Aug 29 21:19:46 EDT 2003
On Fri, Aug 29, 2003 at 08:25:19PM -0400, I.M.Walberg wrote:
> I had RedHat 7.3 installed about a year ago. I set up the firewall with
> medium security. Recently, I've noticed that my rp3 shows send and
> receive activity even when I'm not doing anything. I rebooted to check
> this out and it shows activity even when the only programs I'm running are
> xterms and rp3 (connected obviously).
I was rooted some years ago.
After a cleanup, I did this ---
-file "makelist "
=========
#!/bin/sh
find /sbin -type f -exec md5sum {} \; > md5list1.txt
find /bin -type f -exec md5sum {} \; >> md5list1.txt
find /etc -type f -exec md5sum {} \; >> md5list1.txt
find /usr/sbin -type f -exec md5sum {} \; >> md5list1.txt
find /usr/bin -type f -exec md5sum {} \; >> md5list1.txt
find /usr/local/bin -type f -exec md5sum {} \; >> md5list1.txt
find /usr/lib -maxdepth 1 -type f -exec md5sum {} \; >> md5list1.txt
====
Then this, about once every week or so, depending
on level of paranoia
=== file "md5tst"===
#!/bin/sh
md5sum --check md5list1.txt | grep -i failed > diff.txt
====
If I see anything interesting, I check it out.
So far (fingers crossed) ok.
YMMV
Steve
More information about the Discuss
mailing list