There are several ways you might discover a break-in:
Catching the perpetrator in the act. For example, you might see the superuser logged in from a cyber-café in Budapest when you are the only person who should know the superuser password.
Deducing that a break-in has taken place based on changes that have been made to the system. For example, you might receive an electronic mail message from an attacker taunting you about a security hole, you may discover new account entries in your /etc/passwd file, or your network connection may be running very slowly because the bandwidth is being used by people downloading copyrighted software from all over the world.
Receiving a message from a system administrator at another site indicating strange activity at his site that has originated from an account on your machine.
Strange activities on the system, such as system crashes, significant hard disk activity, unexplained reboots, minor accounting discrepancies, or sluggish response when it is not expected (500 copies of the FTP daemon being used to download warez may be exhausting your system’s resources).
There are a variety of commands that you can use to discover a break-in, including lsof, top, ps, and netstat. There are also several packages that you can use, including Tripwire, that are described elsewhere in this book. Use these tools on a regular basis, but use them sporadically as well. This introduces an element of randomness that can keep perpetrators ...