ACK! How to fix a compromised system?
Dave Hull
dphull at insipid.com
Sun Apr 20 21:49:43 CDT 2003
On Sun, 20 Apr 2003, Lucas Peet wrote:
> What constitutes 'wildly different'?
I don't remember and I'm too lazy to walk downstairs and fetch the book from
the library. But use your noggin, I'd guess it depends on what sorts of
processes are running on the system and how often new ones are spawned and
other are exited, but I can tell you I've been running the command on some of
my systems and aside from the issue with the ls alias when I first tried it,
the counts have always been the same. If I ran it and saw they were off (at
all) consistently over time, I'd start investigating.
If someone's installed a rootkit, it's pretty common for them to have some
sort of irc client running which is used to communicate with your machine.
Other than that, there may not be much else running.
Again, I'm no expert.
--
Dave Hull
http://insipid.com
Lunatic Asylum, n.:
The place where optimism most flourishes.
More information about the Kclug
mailing list