Section 19.5 Check Other Logs

   


19.5 Check Other Logs

Besides the log files in /var/log, the intruder might have left behind evidence elsewhere. Some of these places are:

  1. the shell history files for root and other accounts

  2. users' various mailboxes, including outboxes such as .sent, mbox, and those in /var/spool/mail and /var/spool/mqueue

  3. /tmp, /usr/tmp, and /var/tmp

  4. hidden directories, such as /home/*/.??*

  5. other cracker-created files, frequently hidden names beginning with "."

  6. backup tapes

  7. the free space in the file systems, though it is nontrivial to search this

  8. the logs of other systems, such as firewalls, intermediate compromised systems, and the ISP's systems


       
    Top


    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    ISBN: N/A
    EAN: N/A
    Year: 2002
    Pages: 260

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net