Using common programs to examine the machine

• ls and ps may be modified; copy from another machine
• ps may list processes started as root using './'
• e.g., a ps entry of ./sshd is probably not legitimate
• use ls to check critical directories for recent files
• examples: "ls -alt /etc" and "ls -alt /bin"

One limitation: there may be unexpected kernel modules

• sitf - Solaris Integrated Trojan Facility
• a loadable kernel module used by some intruders
• changes some system calls and is not listed by modinfo
• open, read, and chdir are changed; hide intruder's files

(Solaris libc is probably not replaced by an intruder)