Check for failed logins in /var/log/messages<br><br>Check if the /etc/passwd file have been changed<br><br>Use commands like last, w and uptime. <br><br><br><br><div class="gmail_quote">2009/8/19 Eduardo Grosclaude <span dir="ltr">&lt;<a href="mailto:eduardo.grosclaude@gmail.com">eduardo.grosclaude@gmail.com</a>&gt;</span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">On Wed, Aug 19, 2009 at 1:57 AM, Bill Campbell&lt;<a href="mailto:centos@celestial.com">centos@celestial.com</a>&gt; wrote:<br>

&gt; You cannot trust tools like ``ps&#39;&#39;, ``find&#39;&#39;, ``netstat&#39;&#39;, and<br>
&gt; ``lsof&#39;&#39; as these are frequently replaced by ones that are<br>
&gt; modified to hide the cracker&#39;s work.<br>
<br>
</div>As a corollary, the only safe way to audit a suspected system is<br>
booting your diagnostic tool from known good media (eg try a security<br>
Live CD distro)<br>
<font color="#888888"><br>
--<br>
Eduardo Grosclaude<br>
Universidad Nacional del Comahue<br>
Neuquen, Argentina<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
CentOS mailing list<br>
<a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>
<a href="http://lists.centos.org/mailman/listinfo/centos" target="_blank">http://lists.centos.org/mailman/listinfo/centos</a><br>
</div></div></blockquote></div><br>