There are also other items in a standard rootkit.

You could spend time checking ls, ps, top, sum, yada
yada yada, against your pristine versions on read-only
installation media (after booting into single-user
mode on pristine read-only trusted media (and ONLY
running binaries from said media)), but IMHO your best
bet after a breach/rootkit incident is to take off and
nuke the site from orbit.  It's the only way to be sure.

I'm sure there's a HOWTO on cleaning up your system
after a rootkit "upgrade."  Check Google.


D

* On Mon, Sep 25, 2000 at 01:23:37PM -0700, Don Harrop wrote:
> Thanks for the responses.  I never know about the command "last".  Very
> cool.  I've already found out most of what I needed.  It was some guy over
> in Russia.  Those punks!  :-)  He left some cool utilz on the hard drive
> for me though.  A login replacement that logs all usernames and passwords
> and a in.ftpd replacement.  That's how he got in in the first place.  I
> was running wu-ftpd 2.5.x... I already know there's tons of documented
> exploits with that verison.  I've just upgraded to wu-ftpd 2.6 so that
> should slow 'em down a little bit.
> 
> Don
> 
> On 26 Sep 2000, Bill Warner wrote:
> 
> > This information is located in the /etc/shadow file.  it is refrenced
> > in the standard unix time thing (seconds sense jan 1 1970) check
> > man shadow for more details
> > 
> > Bill Warner
> > 
> > > Hey guys.
> > >       At login I get a printout of when the last login occured.  Where
> > > is that info stored?  I want to check out a user on the system but
> > > don't want to log in as them.  One of the machines I work with had the
> > > root account compromised.  It's just running a few mushes so it's not that
> > > big of deal but I don't want it happening again.  I went through it with a
> > > fine tooth comb and wouldn't mind it if any of you guys tried to whack at
> > > it...  Lemme know what you find.  The IP is 205.216.140.17
> > > 
> > > Don