Not only that, one thing that should've been done _before_ powering off was a lsof -i. This would've given you the IP of the attacking machine which _could_ of further aided in the investigation. Bu that's in the past now, so, fresh install of OBSD3.1 somewhere else and run AIDE or Tripwire on / (or use md5sums etc) and verify which files have changed. Straight off the bat I can safely say that I _don't_ like: * Anything in */[s]bin/* that has changed / been accessed that you are unsure of * Same goes for /etc/* (esp. Master.passwd etc) * Check any of the .history files etc. HTH, Scott On 7/31/02 1:28 PM, "NM" <mlat_private> wrote: > Le lun 29/07/2002 à 21:20, Ingram a écrit : > >> So, that´s my story, i hope somebody on this list can point me >> where and how i can find out more about this accident. >> >> regards & thanks in advantage >> Ingram > > Is there a way you could diff the files you got with those of a backup, > or of a fresh install, to find out what was modified? Not only would it > show you which files were changed, but also how. > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 06:52:33 PDT