> > Also processes you thinkk you DO recognize: > Just for testing how alert my co-workers were, i had a program called > "kswapd", just calculating prime-numbers... > They never noticed. ;-) > > Without any preperation it's harder. No point in installing tripwire, > activating apparmor/selinux afterwards. > Those things should be done after a fresh installation. Indeed. I once found a gdm binary that had been subverted. I'm certain that would fly below the radar of many organizations. --------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/