[CentOS] How to tell if I've been hacked?

Sun Aug 23 00:31:08 UTC 2009
drew einhorn <drew.einhorn at gmail.com>

On Sat, Aug 22, 2009 at 10:49 AM, Bill Campbell <centos at celestial.com> wrote:
>
> On Fri, Aug 21, 2009, Dave wrote:
> >On Tue, Aug 18, 2009 at 3:53 PM, Scott Ehrlich<srehrlich at gmail.com> wrote:
> ... stuff deleted
>
> >On Tue, Aug 18, 2009 at 6:57 PM, Bill Campbell<centos at celestial.com> wrote:
> >> To really know whether a system has been hacked, it's necessary
> >> to use something like Tripwire or Aide,


> One of the problems I've found with tripwire in particular and aide to a
> lesser extent is that they (a) tend to be very verbose even when nothing
> has changed, and (b) updating their database is fairly complex.  I have
> developed a system that we use here and at our client sites that uses the
> tripwire formatted configuration files, but maintains its own database, and
> produces minimal reports of changes (none of nothing has changed).
> Updating its database after changes have been checked and verified is a
> simple file ``mv'' command.

Another open source tool you might want to consider.

http://ftimes.sourceforge.net/FTimes/index.shtml

--
Drew Einhorn