On Tue, Dec 19, 2000 at 03:24:15AM -0500, Mike Nowlin thus spoke:
> > If you've been rooted, then the logs are probably no good. But
> > check you wtmp for logons, and messages, and well if you don't
> > see anything unusual there then the've prabaly been wiped. Have
> > regained root yet? ...
...
> Due to the fact that "rm" really doesn't erase anything, the
> contents were still there - doing a "strings" on the raw partition
> will retrieve a lot.
> With a bit of patience, it's amazing what will show up -- usually,
> the former contents of /var/log/* will show up as large chunks
> that are easily read... Turns out I found this guy's IP address
> and the time the system was blasted - a call to MCI resulted in a
> small amount of satisfaction...
It's amazing what TCT - The Coroners Toolkit - will display.
'lazurus' causes files to rise from the dead. Used ahead of
time you can run MD5 on the entire system so you can check
everything if you beleive you've been broken into.
Dan Farmer and Wietse Venema wrote it.
Bill
--
Bill Vermillion - bv @ wjv . com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
