On Fri, Feb 27, 2009 at 3:32 PM, Patrick O'Callaghan <pocallaghan@xxxxxxxxx> wrote: > On Fri, 2009-02-27 at 14:08 -0800, Aldo Foot wrote: >> You could try booting with a LiveCD and use find to expose files >> created recently. > > No good. A rootkit could have changed the file creation time. True. But years ago, while gathering data from a compromised system I came across an executable named "zap" and the command strings showed what was supposed to happen to wtmp files and the like. So, file names alone may be suspicious. ~af -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
