This section discusses in detail how to find out what an intruder may have done and how you should clean up afterwards.
Even if you don’t catch an intruder in the act, you still have a good chance of finding the intruder’s tracks by routinely looking through the system logs. (For a detailed description of the Unix log files, see Chapter 21.) Remember: look for things out of the ordinary. For example:
Users logging in at strange hours
Unexplained changes to the system clock
Unusual error messages from the mailer, ftp daemon, or other network server
Failed login attempts with bad passwords
Unauthorized or suspicious use of the su command
Users logging in from unfamiliar sites on the network
On the other hand, if the intruder is sufficiently skillful and achieves superuser access on your machine, he may erase all evidence of the invasion. Simply because your system has no record of an intrusion in the log files, you can’t assume that your system hasn’t been attacked.
Many intruders operate with little finesse: instead of carefully editing out a record of their attacks, they simply delete or corrupt the entire log file. This means that if you discover a log file deleted or containing corrupted information, there is a possibility that the computer has been successfully broken into. However, a break-in is not the only possible conclusion. Missing or corrupted logs might mean that one of your system administrators was careless; ...