Real World Linux Security Prentice Hall Ptr Open Source Technology Series

19.5 Check Other Logs

Besides the log files in /var/log, the intruder might have left behind evidence elsewhere. Some of these places are:

1. the shell history files for root and other accounts

2. users' various mailboxes, including outboxes such as .sent, mbox, and those in /var/spool/mail and /var/spool/mqueue

3. /tmp, /usr/tmp, and /var/tmp

4. hidden directories, such as /home/*/.??*

5. other cracker-created files, frequently hidden names beginning with "."

6. backup tapes

7. the free space in the file systems, though it is nontrivial to search this

8. the logs of other systems, such as firewalls, intermediate compromised systems, and the ISP's systems