Warning Signs for Unix

Warning signs to watch for on a Unix machine:

• Programs or commands don't run properly
  Has a particular program started crashing recently? Are you getting different output from a command than what you expect? It's possible that someone has gotten into your computer and is trying to hide the signs of entry.

• You're finding strange files or files in the wrong places
  Hackers frequently hide their files in plain sight. Favorite locations are large, seldom visited directories. If you find a rootkit or a file that indicates a known virus, you've definitely had a security incident.

  A perfect example is the /dev directory on Unix systems—a huge filesystem full of obscure files. Since most people don't have any reason to look in /dev, it's the perfect place for the intruder to store files. (A quick way to check /dev is to type file /dev/* | grep -v special, which will return only non-device files. You should be left with a couple of directories and maybe an ASCII file or two. Of course, this assumes that an intruder hasn't replaced the file program with his own executable.)

• Your "last login" reports the wrong information
  Many servers report your last known login time and the machine you were connecting from.

  If your server says you logged in from Finland at 3:00 in the morning and you know you were in bed at 3:00 A.M. and use only a local computer to connect to the server, someone else probably has your password.