Recommendations (3)
Intruder detection checklist
- ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
- examine log files for connections from unusual locations or other unusual activity (‘last’, ‘ps’, syslog)
- look for setuid and setid files (copies of /bin/sh, /bin/time)
- find / -user root -perm -4000 -print
- find / -group kmem -perm -2000 -print
- ncheck -s /dev/rsd0g
- check system binaries to make sure that they haven’t been altered (login, su, telnet, ifconfig, ps, ls, find, du, df, netstat)
- use cmp, MD5, Tripwire checksum tools