Gentoo Wiki


This article is part of the Security series.



This document outlines suggested steps for determining if your system has been compromised. System administrators can use this information to look for several types of break-ins. We encourage you to review all sections of this document and modify your systems to close potential weaknesses.

In addition to the information in this document, we provide three companion documents that may help you:

We also encourage you to check with your vendor(s) regularly for any updates or new patches that relate to your systems.

Look For Signs That Your System May Have Been Compromised

Note that all action taken during the course of an investigation should be in accordance with your organization's policies and procedures.

find / -user root -perm -4000 -print
find / -group kmem -perm -2000 -print

Note that the above examples search the entire directory tree, including NFS/AFS mounted file systems. Some find(1) commands support an "-xdev" option to avoid searching those hierarchies. For example:

find / -user root -perm -4000 -print -xdev

Another way to search for setuid files is to use the ncheck(8) command on each disk partition. For example, use the following command to search for setuid files and special devices on the disk partition /dev/rsd0g:

ncheck -s /dev/rsd0g

Trojan horse programs may produce the same standard checksum and timestamp as the legitimate version. Because of this, the standard UNIX sum(1) command and the timestamps associated with the programs are not sufficient to determine whether the programs have been replaced. The use of cmp(1), MD5, Tripwire, and other cryptographic checksum tools is sufficient to detect these Trojan horse programs, provided the checksum tools themselves are kept secure and are not available for modification by the intruder. Additionally, you may want to consider using a tool (PGP, for example) to "sign" the output generated by MD5 or Tripwire, for future reference.

Also check for legitimate services that you have commented out in your /etc/inetd.conf. Intruders may turn on a service that you previously thought you had turned off, or replace the inetd program with a Trojan horse program.

find / -name ".. " -print -xdev
find / -name ".*" -print -xdev | cat -v

Also, files with names such as '.xx' and '.mail' have been used (that is, files that might appear to be normal).

Review Other CERT Documents

The information on the form helps us provide the best assistance, as it enables us to understand the scope of the incident, to determine if your incident may be related to any other incidents that have been reported to us, and to identify trends in intruder activities.

Related links


Admin of WindowsSecurity Company

Retrieved from ""

Last modified: Mon, 04 Aug 2008 09:06:00 +0000 Hits: 21,587