Check for failed logins in /var/log/messages Check if the /etc/passwd file have been changed Use commands like last, w and uptime. 2009/8/19 Eduardo Grosclaude <eduardo.grosclaude at gmail.com> > On Wed, Aug 19, 2009 at 1:57 AM, Bill Campbell<centos at celestial.com> > wrote: > > You cannot trust tools like ``ps'', ``find'', ``netstat'', and > > ``lsof'' as these are frequently replaced by ones that are > > modified to hide the cracker's work. > > As a corollary, the only safe way to audit a suspected system is > booting your diagnostic tool from known good media (eg try a security > Live CD distro) > > -- > Eduardo Grosclaude > Universidad Nacional del Comahue > Neuquen, Argentina > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20090821/c44e2b94/attachment-0005.html>