> If you've been rooted, then the logs are probably no good. But check you wtmp
> for logons, and messages, and well if you don't see anything unusual there then
> the've prabaly been wiped. Have regained root yet? personally I would pull the
> box off net and backup theimportant config stuff, then blast it....but hey I
> tend to be a bit of an extremist in these cases...
A very helpful trick I did on a Linux box once that was rooted where
Mr. Friendly did a "rm -fr /" to try to make my life as difficult as
possible was:
(after installing the erased drive on a new machine)
strings /dev/hdc1 > keepme_hdc1
Due to the fact that "rm" really doesn't erase anything, the contents were
still there - doing a "strings" on the raw partition will retrieve a lot.
With a bit of patience, it's amazing what will show up -- usually, the
former contents of /var/log/* will show up as large chunks that are easily
read... Turns out I found this guy's IP address and the time the system
was blasted - a call to MCI resulted in a small amount of satisfaction...
--mike
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
