On Fri, Feb 25, 2011 at 3:13 PM, Andrei Popescu <andreimpope...@gmail.com>wrote:
> On Vi, 25 feb 11, 12:42:51, Sjoerd Hardeman wrote: > > The fact that a compromised user account = a compromised machine is > > of course very true. However, when detected it might be that the > > attacker did not manage yet to get root permissions. Thus, it buys > > some time. > > But there is no 100% way to tell the machine is clean, so you will have > to wipe and reinstall anyway. > > tripwire? setup logrotate to log to another computer? there are other options than tripwire and logrotate, but those are the general theories that will let you know.
