File system changes

• estimate a time in the past that was before the breakin
• this should be a time after the last OS upgrade
• preferably, a time after large-scale patch installations
• you may need to make multiple such estimates
• with no information, 120 days ago is a reasonable guess

Running find

• check for inode modifications after the estimated date
• often there will be huge numbers of modified files
• find / /usr /var -ctime -120 -mount -type f -print
• any one unauthorized change confirms a breakin
• Solaris may change some configuration files at boot time
• an example is /etc/nsswitch.conf