I dont have built an integrity check like tripwire
[root@safari gugus]# find / -mtime -2 -print | tee changes.txt
this is only a abstract of files I think shoudnt have changed:
/lib/modules/2.4.20-8/modules.dep
/lib/modules/2.4.20-8/modules.generic_string
/lib/modules/2.4.20-8/modules.pcimap
/lib/modules/2.4.20-8/modules.isapnpmap
/lib/modules/2.4.20-8/modules.usbmap
/lib/modules/2.4.20-8/modules.parportmap
/lib/modules/2.4.20-8/modules.ieee1394map
/lib/modules/2.4.20-8/modules.pnpbiosmap
/
/dev
/dev/pts
/dev/pts/0
/dev/pts/1
/dev/pts/2
/dev/log
/dev/console
/dev/dri
/dev/dri/card0
/dev/psaux
/dev/ptmx
/dev/shm
/dev/tty1
/dev/tty2
/dev/tty3
/dev/tty4
/dev/tty5
/dev/tty6
/dev/urandom
/dev/initctl
/dev/ptal-printd
/dev/gpmctl
am I right? /proc is virtually and changes often.
with the Redhat Rescue system
[root@safari gugus]# rpm --verify -a | tee rpm.txt
S.5....T c /etc/hotplug/usb.usermap
S.5....T c /etc/sysconfig/pcmcia
.......T c /etc/mail/sendmail.cf
S.5....T c /etc/mail/statistics
SM5....T c /etc/mail/submit.cf
missing /usr/lib/libpq.so.2.0
S.5....T c /etc/openldap/ldap.conf
S.5....T c /etc/krb.conf
S.5....T /usr/lib/openoffice/share/fonts/truetype/fonts.dir
.......T /usr/share/fonts/KOI8-R/100dpi/fonts.dir .......T /usr/share/fonts/KOI8-R/100dpi/fonts.dir
S.5....T c /etc/pam.d/system-auth
..5....T c /etc/inittab
S.5....T c /etc/ldap.conf
S.5....T c /etc/sysconfig/rhn/up2date-uuid
S.5....T c /etc/yp.conf
.......T c /usr/share/fonts/default/Type1/fonts.dir
S.5....T c /etc/cups/cupsd.conf
.......T c /etc/cups/printers.conf
....L... /usr/lib/libglide3.so.3
S.5....T c /etc/xml/catalog
S.5....T c /usr/share/sgml/docbook/xmlcatalog
..5....T /usr/share/fonts/KOI8-R/75dpi/fonts.dir
..5....T /var/lib/wnn/ja/dic/gerodic/g-jinmei.dic
..5....T /var/lib/wnn/ja/dic/pubdic/bio.dic
..5....T /var/lib/wnn/ja/dic/pubdic/chimei.dic
..5....T /var/lib/wnn/ja/dic/pubdic/computer.dic
..5....T /var/lib/wnn/ja/dic/pubdic/full.fzk
..5....T /var/lib/wnn/ja/dic/pubdic/jinmei.dic
..5....T /var/lib/wnn/ja/dic/pubdic/kihon.dic
..5....T /var/lib/wnn/ja/dic/pubdic/kougo.fzk
..5....T /var/lib/wnn/ja/dic/pubdic/koyuu.dic
..5....T /var/lib/wnn/ja/dic/pubdic/setsuji.dic
..5....T /var/lib/wnn/ja/dic/pubdic/special.dic
..5....T /var/lib/wnn/ja/dic/pubdic/std.fzk
..5....T /var/lib/wnn/ja/dic/pubdic/symbol.dic
..5....T /var/lib/wnn/ja/dic/pubdic/tankan.dic
no binarys
(most of these file i know i worked with it)
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mis-match
L readLink(2) path mis-match
U User ownership differs
G Group ownership differs
T mTime differs
as you can see is lastlog inactiv - sadly
$ lastb
lastb: /var/log/btmp: No such file or directory
Perhaps this file was removed by the operator to prevent logging lastb info.
ifconfig: received and trasmitted bytes are in my opinion normally.
in /var/log/ i found nothing suspected
I cant see any abuse of my system?
thank you very much for your help.