FC9 Compromised...
Aldo Foot
lunixer at gmail.com
Sat Feb 28 00:08:31 UTC 2009
On Fri, Feb 27, 2009 at 3:32 PM, Patrick O'Callaghan
<pocallaghan at gmail.com> wrote:
> On Fri, 2009-02-27 at 14:08 -0800, Aldo Foot wrote:
>> You could try booting with a LiveCD and use find to expose files
>> created recently.
>
> No good. A rootkit could have changed the file creation time.
True. But years ago, while gathering data from a compromised system
I came across an executable named "zap" and the command strings
showed what was supposed to happen to wtmp files and the like. So,
file names alone may be suspicious.
~af
More information about the fedora-list
mailing list