how to check for a compromised system

Lee Capps lcapps at
Wed Jun 28 12:57:38 UTC 2006

At 08:40 Wed 28 Jun 2006, Brent wrote:
> The symptom im seeing is yesterday all of a sudden the root user was removed
> from the /etc/passwd file & Im not sure on how to track down what happened. I
> managed to recover from this. Are there any other tools that i can use to
> track down say who did what on the box? files that may have changed & time &
> dates...

There's another root kit search tool I've used called rkhunter.
It's in ports.

Have you rebooted the machine?  Sorry if this is obvious, but if
not, you could look for suspicous processes.  'Course, if you've
been rooted, you can't trust any of your binaries, including

What services was the machines running?  Maybe you could check
the modification time on /etc/passwd and look around that time in
the apache (or whatever) log files?

The one time I've dealt with a system compromise, I was able to
track down what happened by loooking at the apache log files
(they got in using a php exploit).  But I caught it fairly
quickly, and they never got root.

Probably some others here are wiser and more experienced than I.


Lee Capps
Technology Specialist
CTE Resource Center

More information about the freebsd-questions mailing list