I'm not a Linux person, but I've heard people talk about using Tripwire to detect changed files. I think it does a checksum of important files and then periodically it recomputes the checksums and looks to see if anything has changed.
for redhat, "rpm -Va" checks all rpm-installed files and verifies them. look for the "5" in the status field on things like ls, ps, and netstat. that's a big danger sign.
blatant things that happened to me were my password getting changed on remote machines and local syslog files being blown away. also, tcpdump or snoop showing unusual network activity, or nmap (ideally from another machine) finding unusual ports open.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
no subject
Date: 2005-04-05 02:02 pm (UTC)On that subject, can you recommend a tool for detecting whether one has been rootkitted? I think I should keep a closer eye on my machine than I do.
no subject
Date: 2005-04-05 02:19 pm (UTC)no subject
Date: 2005-04-05 05:24 pm (UTC)no subject
Date: 2005-04-05 08:40 pm (UTC)no subject
Date: 2005-04-05 09:41 pm (UTC)blatant things that happened to me were my password getting changed on remote machines and local syslog files being blown away. also, tcpdump or snoop showing unusual network activity, or nmap (ideally from another machine) finding unusual ports open.