On Thu, May 02, 2002 at 03:41:50PM -0500, Jason Sosinski wrote: > First, check the messages files for anything unsual (like times that you > > Second, check for times that root was logged into your system. This can > > Third check to see what commands root has ran in the past. This can be
[major snipping done!] Fourth, check to see if any other user has a UID of 0: $ grep :0: /etc/passwd If you see anything unusual here (i.e., not root, sync, shutdown, halt or operator), then you may have been hacked. I talked to somebody not too recently that saw the games account with UID 0. It's all over for you if this happened - it's re-install time. -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
