If the date and time of the intrusion and/or of rootkit or other software installation can be determined the task of clearing up the damage is made much easier. The datestamp on a file can be changed to mislead; nevertheless this procedure is frequently worthwhile.

There are three obvious ways to determine the critical date and time:

• by noting the time/date when problems were noticed (e.g, from the details contained within the CERT report);
  
  
• from evidence in the (remote copy of the) system logs, or from differences in the logs — entries might be missing from the local copy;
  
  
• By finding (at least) one file which has been added or modified which should not have been: look for new libraries in /lib and /usr/lib, and utilities with new datestamps in /bin, /usr/bin, /sbin and /usr/sbin; look for recent changes in /etc.

Given an approximate date/time to work with, say 3 days ago, 2005 Jun 19, try

    find / -ctime -2 -print
        # atime :  access --- the file was last accessed;
        # ctime :  change --- changes were made to the file's inode;
        # mtime :  modify --- actual file contents changed;

    ls -lR / |  grep "Jun 19" | egrep -v "2004|2003"
    ls -lR / |  grep "2005-06-19"