Strange perl script

Chad Perrin perrin at
Thu Oct 18 10:46:35 PDT 2007

On Thu, Oct 18, 2007 at 01:04:38AM -0500, Joshua Isom wrote:
> If a simple 'locate sploger' shows nothing(run `periodic weekly` which 
> will update your locate database assuming you're keeping things 
> relatively stock), then in all likelihood you've got an intruder.  If 
> some of the other tips posted give no help, and you've got time on your 
> hands, try `grep -l sploger /` and you'll find all files with sploger 
> in it.  If you've been broken into and they're being really tricky, it 
> won't work but odds are they aren't that bright if the process is still 
> in ps's output.

You might also (if you're in a little more of a hurry and taking the
computer out of production for a little bit isn't a problem) boot from a
LiveCD, mount all partitions from your hard drive so they're available
from the LiveCD OS, then updatedb and locate sploger so you're using
tools that haven't been compromised.  Even if it's not actually quicker,
it should *seem* quicker than using grep -- and if grep doesn't work,
this is more likely to work.

In the future, you may want to think about using some kind of integrity
auditing tool to periodically check for unauthorized changes.  Tripwire
is the canonical integrity auditing tool, but you can also use mtree and
even rsync for integrity auditing.

CCD CopyWrite Chad Perrin [ ]
They always say that when life gives you lemons you should make lemonade. 
I always wonder -- isn't the lemonade going to suck if life doesn't give
you any sugar?

More information about the freebsd-questions mailing list