If the date and time of the intrusion and/or of rootkit or other software installation can be determined the task of clearing up the damage is made much easier. The datestamp on a file can be changed to mislead; nevertheless this procedure is frequently worthwhile.
There are three obvious ways to determine the critical date and time:
Given an approximate date/time to work with, say 3 days ago, 2005 Jun 19, try
find / -ctime -2 -print # atime : access --- the file was last accessed; # ctime : change --- changes were made to the file's inode; # mtime : modify --- actual file contents changed;or one of these (depending on the output format of ls)
ls -lR / | grep "Jun 19" | egrep -v "2004|2003" ls -lR / | grep "2005-06-19"For reliable results, this procedure should be done again after booting from reliable media.
...previous | up (conts) | next... |