Forensics 13. Have you really killed it off?

You might think that you've killed off the programs being run by the intruder, but watch to see if they come back again...

  bash# cd /var/spool/cron/crontabs
  bash# ls -l foo
  -r-------- 1 root user 79 May  2 09:27 foo
  bash# cat foo
  0,10,20,30,40,50 * * * *
    /home/foo/.../sian.chk >/dev/null 2>&1

sian.chk turns out to be a script which restarts sian if it was't running already