Hi, There is a package called TCT (The Coroner's toolkit),by Dan Farmer and Wietse Venema ( the writers of tcp wrappers). It specializes in forensics of computer security. U can look for it at http://www.porcupine.org/forensics the docs say.... <quote> ........we feel that it's high time that more people knew about (and how to effectively utilize) MAC times, the possibilities of exploring - and recovering - Unix files that were removed or destroyed, capturing processes and their associated information and a fair bit more besides. If nothing else, we hope that when a Unix system has been broken into that the owner of the computer would have a chance of capturing (if not understanding) much of the crucial forensics data that is needed in order to understand what has happened on that system. </quote> On Thu, 8 Feb 2001, Markus Gaugusch wrote:
DON'T!! re-install until you have tried every avenue to try and find out how he got in, or you might end up spending days configuring your machine again, in exactly the same way and have him walk right back in after that. I said "put it off the net, backup, reinstall". I forgot to say, that the backup should be used to reconstruct the incident. He also said, that he was running a vulnerable version of bind. (ok, it may be something less obvious too, ...)
Markus
regards omicron -- ****** An optimist sees light at the end of every tunnel. A pessimist fears it might be of an incoming train. omicron@omicron.dyndns.org omicron.symonds.net C O G I T O E R G O S U M ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~