Evaluate Programs for Size

When a system is cracked often a trojan replaces important programs that could find a crack attempt. The programs most often replaced are ps,top, login, and last. Each of these programs could easily demonstrate that an intruder has arrived so they are replaced with a partly functioning program, thus covering the tracks of the intruder. Usually these replaced programs are larger than the original in size, over 100K. Use the -l with ls to show size:

ls -l `which top`

Typical return, notice the size, 81K.
-r-xr-xr-x 1 root root 81100 2003-09-23 11:03 /usr/bin/top

The location of top and last is typically /usr/bin while the location of ps and login are /bin. These files can all be found by using the command which:

which ps

Copyright CyberMontana Inc. and BeginLinux.com

All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874