If your system has been compromised, or if you think it might have been compromised,
you should immediately check for files that may have been modified by the intruder.
The intruder may have changed files in an extremely subtle way to install a backdoor so they can
break into the system again.
For example, the intruder might alter a standard script so that a particular parameter opens a backdoor,
or he or she may simply make a vulnerable script sticky, or executable only by the script's owner,
so they can use it to break
find command is an extremely useful utility for finding such changes.
You should have some idea when the break-in may have occurred,
so use the
find command to search for file modifications within the timeframe you believe the attack occurred.
For example, the following will find all files in the
/etc, /sbin, and
/usr/sbin directories whose contents have been modified within the past 48 hours:
For more information, consult the man pages using the command man find.
The next lesson describes the
Potentially Cracked Abused Files
Click on the link to learn about Potentially Cracked Abused Files.