Forensics 10. Intrusion detection using Tripwire

Different incident, this time on a machine with Tripwire monitoring in place:

  foo:added: drwx------ root     512
               May  1 05:42:01 1999 /usr/bin/...
  foo:added: -rwx------ root   24896
               May  1 05:40:14 1999 /usr/bin/.../csh
  foo:added: -rws--s--x root      90
               May  1 05:26:14 1999 /usr/bin/.../slog
  foo:added: -rws--s--x root      39
               May  1 05:26:14 1999 /usr/bin/.../cron
  foo:added: -rws--s--x root   80816
               May  1 05:28:27 1999 /usr/bin/.../ksh
  foo:added: -rw------- root   19640
               May  1 05:39:49 1999 /usr/bin/.../solsniffer.c
  foo:added: -rw------- root     179
               May  1 05:42:38 1999 /usr/bin/.../tcp.out
  foo:added: -rw------- root    1098
               May  1 05:45:41 1999 /usr/bin/.../cront

Note use of ... to 'hide' directory name, and addition of password sniffer - ouput in tcp.out