How to know if there was any change in my system yesterday?

Ashley Benton chuaukantli at gmail.com
Sun Aug 24 00:27:28 UTC 2008


On Sat, Aug 23, 2008 at 2:38 PM, Verde Denim <tdldev at gmail.com> wrote:

>
>
> On Sat, Aug 23, 2008 at 12:51 PM, Brian McKee <brian.mckee at gmail.com>wrote:
>
>> On Fri, Aug 22, 2008 at 12:09 PM, Ashley Benton <chuaukantli at gmail.com>
>> wrote:
>> > Hi,
>> > Yesterday I used chm2pdf to be able to read a document. I had this
>> strange
>> > message rm: permission to /root and every other system folders. I
>> answered
>> > no
>>
>> Were you running the program as root or via sudo?
>
>
No I was using the terminal command as a regular user (chm2pdf --webpage
~/desktop/*.chm)

>
>>
>> Did you start it from the command line?   It might be enlightening to
>> review your .bash_history file.
>
>
When I type history in the terminal I didn't use the command sudo before
that happened but only after.

>
>>
>> A find command would show new files since yesterday, but wouldn't show
>> deletions etc....
>
>
It shows that the file srcpkgcache.bin was modified as well as syslog,
access_log and dmesg. I will try to find what was modified if I can find a
log in var/log

>
>>
>> rootkithu hunter and others would spot changes if you'd been running
>> those programs *before* you had a problem.  Checking after the fact is
>> a chicken-and-egg problem, since you can't trust the system to verify
>> itself if the system is untrustworthy.
>
>

It was a private computer and I installed rkhunter only after that had
happened. It found two suspicious files in /dev
(/dev/shm/pulse-shm-3256157084: data and /dev/shm/pulse-shm-31......) It
also found 4 hidden files (/etc/.java  ; /dev/.static  ; /dev/.udev  ;
/dev/.initramfs)
I don't know what are the suspicious files yet.



>>
> Even though its after the fact, if you installed samhain, it would at least
> alert you whenever a system file changed. I'm not sure if it can be
> configured to alert whenever *any* file changed,though. But it would be a
> good app to have running if you've ever wondered which files are changing in
> the system.
>

I installed it a few minutes ago and will check the man page to learn how to
use it.


Thank you for your answers.
>
>
Meg

>
>>
>> --
>> ubuntu-users mailing list
>> ubuntu-users at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20080823/e61e9a40/attachment.html>


More information about the ubuntu-users mailing list