Re: Things I Don't Understand About Debian

[shawn wilson <ag4ve.us@gmail.com>]

On Fri, Feb 25, 2011 at 3:13 PM, Andrei Popescu <andreimpopescu@gmail.com> wrote:

On Vi, 25 feb 11, 12:42:51, Sjoerd Hardeman wrote:
> The fact that a compromised user account = a compromised machine is
> of course very true. However, when detected it might be that the
> attacker did not manage yet to get root permissions. Thus, it buys
> some time.

But there is no 100% way to tell the machine is clean, so you will have
to wipe and reinstall anyway.

tripwire? setup logrotate to log to another computer?
there are other options than tripwire and logrotate, but those are the general theories that will let you know.