Classnotes | UNIX03 | RecentChanges | Preferences Showing revision 1 Once you have detected that your system has been broken into, it would be very helpful to try and find any running processes that the cracker has left behind. Remember that any program on your system may be compromised.
It is preferable to operate as a non-privileged user that does not have access to anything important. This is because there may be a trojanned or otherwise compromised program on your machine waiting for an administrator to come along and trigger it.
It is advisable to keep a "stealth" version of ps under an unassuming name. If you run an application, call it by that name. Do a ps of your system and note root programs such as lpd and sendmail as possible names to call your "stealth ps" executable. Some crackers might notice that sendmail should not have an argument of axlww so if you are feeling ambitious, grab the source of ps and tweak it to create a custom version that defaults to these flags. To recall what these flags do: