If there is reason to suspect that the integrity of a host has been compromised, you should attempt to gather evidence to validate or refute your hypothesis. Evidence that may validate your suspicion is unexpected network connections, unexpected processes, processes operating in an unexpected manner, unexpected user(s) logged onto the system, and/or unexpected user activity. It is not uncommon for system attackers to take active measures to hinder your ability to gather evidence. A common synthesis of hiding techniques and tools is the 'root-kit'. The following is a list of tools and methods for circumventing root-kits.
Since root-kits often replace common user land utilities used to gather evidence, such as netstat, last, w, ifconfig, and ps, it is important to establish a working environment that has a reasonable amount of integrity. To create a trusted working environment on an untrusted computer is at best a paradox and sometimes an impossibility. The best we can currently do is bring our own trusted versions of user land programs onto the system and guarantee that we use them. You will need a shell and all the utilities you expect to use. These include:
On the suspect system, mount the CD-ROM and start a shell to work from. For instance:
/mnt/cdrom/bin/bash -rcfile /mnt/cdrom/etc/bashrc -noprofile -i
The bashrc on the CD should unset the HISTFILE variable, so the shell does not save the history file to your home directory (we are trying to minimize the effects of our actions on the host's filesystems). Once you are operating in a clean shell, the following commands can be used to capture initial evidence, preferably in the order specified: