Intruder Detetion Help
find / -user root -perm -4000 -print -xdev
(Info located here: http://www.cert.org/tech_tips/intrud...checklist.html)
Anyways, I came up with a list of around 16 different locations:
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/quota
/usr/bin/crontab
/usr/libexec/openssh/ssh-keysign
/usr/sbin/traceroute
/usr/sbin/suexec
/usr/sbin/exim
/usr/local/apache/bin/suexec
/usr/local/cpanel/bin/cpwrap
/usr/local/cpanel/bin/jailshell
/usr/local/cpanel/cgi-sys/cgiecho
/usr/local/cpanel/cgi-sys/cgiemail
/usr/local/cpanel/cgi-sys/helpdesk.cgi
/usr/local/cpanel/cgi-sys/scgiwrap
/bin/su
/usr/bin/passwd
/usr/bin/quota
/usr/bin/crontab
/usr/libexec/openssh/ssh-keysign
/usr/sbin/traceroute
/usr/sbin/suexec
/usr/sbin/exim
/usr/local/apache/bin/suexec
/usr/local/cpanel/bin/cpwrap
/usr/local/cpanel/bin/jailshell
/usr/local/cpanel/cgi-sys/cgiecho
/usr/local/cpanel/cgi-sys/cgiemail
/usr/local/cpanel/cgi-sys/helpdesk.cgi
/usr/local/cpanel/cgi-sys/scgiwrap
/bin/su
