I remember I sent weeks ago next email to other guy with same doubts: Hello, just if it helps, please find below these lines the steps I have used to analyze several suspicious machines in some customers, to check if they have been compromised or not: * Chrootkit && rkhunter -> To search for known trojans and common linux malware. * unhide (http://www.unhide-forensics.info/) -> to check for hidden processes and tcp sockets * rpm -Va -> To check binary integrity against installed rpms * If netstat binary looks to be sane, check listening sockets * If ps binary looks to be sane, check shown running processes * Check console connections with "last" and "lastb" commands * Tcpdump on network interfaces avoiding traffic for known running services (80, 25, 21, etc... depending on the role of the machine) to check for the weird traffic * grep -i segfault /var/log/* -> to check for buffer overflows in logs * grep -i auth /var/log/* |grep -i failed -> to check authentication failed tries. * lsmod -> to check loaded kernel modules (it is ver difficult to find out something wrong here, but just to be sure nothing weird appears). * lsof -> to check opened current files * Check xinetd -> to find out if someone has added some new "service" * have a look to /tmp, /opt, /usr/bin, /usr/local/bin, /usr/sbin and .bash_history... * check /etc/passwd and verify created users are licit to be there. * check crontab for every user to avoid any process to be programmed Hope the checklist helps... Regards, El 19/02/12 03:18, Al escribió: > On Feb 18, 2012, at 9:07 PM, Donkey Hottie wrote: > >> 19.2.2012 3:38, Al kirjoitti: >>> Any suggestions on what to run on a centos box to verify that the >>> server isn't compromised or being sniffed? Thanks! >> rkhunter comes to my mind. > Thanks for the suggestion, any others? > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > > -- Lorenzo Martinez Rodriguez Visit me: http://www.lorenzomartinez.es Mail me to: lorenzo@xxxxxxxxxxxxxxxxxx My blog: http://www.securitybydefault.com My twitter: @lawwait PGP Fingerprint: 97CC 2584 7A04 B2BA 00F1 76C9 0D76 83A2 9BBC BDE2 _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos