how to check for a compromised system

Brent mrb at
Wed Jun 28 12:40:40 UTC 2006

Im running several servers all ranging from FBSD 4.11 through the 5.4 release
, patched of course. MY question is how do i check a system to see if has been
compromised ? I have already run a current version "chkrootkit" & found nothing.

The symptom im seeing is yesterday all of a sudden the root user was removed
from the /etc/passwd file & Im not sure on how to track down what happened. I
managed to recover from this. Are there any other tools that i can use to
track down say who did what on the box? files that may have changed & time &

any help is greatly appreciated


More information about the freebsd-questions mailing list