how to check for a compromised system

Chuck Swiger cswiger at
Wed Jun 28 14:14:33 UTC 2006

Brent wrote:
> Hello,
> Im running several servers all ranging from FBSD 4.11 through the 5.4 release
> , patched of course. MY question is how do i check a system to see if has been
> compromised ? I have already run a current version "chkrootkit" & found nothing.

There isn't a simple answer to that, but start with looking under /var/log and 
at the output of `last`.  You might consider running tcpdump -o _file_ for a 
day or so and review it for illicit traffic.

> The symptom im seeing is yesterday all of a sudden the root user was removed
> from the /etc/passwd file & Im not sure on how to track down what happened. I
> managed to recover from this. Are there any other tools that i can use to
> track down say who did what on the box? files that may have changed & time &
> dates...

find / -mtime 2

...would probably be a good starting point.


More information about the freebsd-questions mailing list