"John (EBo) David" <
ebo@leml.la.asu.edu> wrote:
> George Toft wrote:
> >
> > Hi John,
> >
> > Post a ps and let the group dissect it.
>
> Ok... See appended:
Output of ps won't mean much if a rootkit has already been installed
(search on rootkits - i.e.
http://linux.oreillynet.com/pub/a/linux/2001/12/14/rootkit.html)
Ideally, you'd have tools running up front to detect unauthorized changes.
There are tools though (i.e. chkrootkit -
http://www.chkrootkit.org/) to
look for signs of compromise even after the fact.
Running something like aide or tripwire against critical files is a good
detection measure, but it needs to be set up up front.
- Bob
(text/plain)