Content #
To check for a possible Trojan horse, examine the filesystem periodically for files with setuid permission. The following command lists these files: Listing setuid files
$ sudo find / -perm -4000 -exec ls -lh {} \; 2> /dev/null
-rwsr-xr-x 1 root root 25K Oct 19 15:52 /usr/bin/newgrp
-rwsr-xr-x 1 root root 35K Oct 19 15:52 /usr/bin/chfn
-rwsr-xr-x 1 root root 29K Oct 19 15:52 /usr/bin/chsh
-rwsr-xr-x 1 root root 38K Oct 19 15:52 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 35K Oct 19 15:52 /usr/bin/passwd
-rwsr-sr-x 1 root root 21K Dec 6 22:11 /usr/bin/X
-rwsr-xr-x 2 root root 104K Oct 9 04:39 /usr/bin/sudoedit
-rwsr-xr-x 2 root root 104K Oct 9 04:39 /usr/bin/sudo
-rwsr-sr-x 1 daemon daemon 44K Jul 20 2007 /usr/bin/at
-rwsr-xr-x 1 root root 14K Oct 16 10:33 /usr/bin/arping