[nycbug-talk] Searching for suspect PHP files...

[Matt Juszczak]

> Tripwire became a bloated beast nowadays.  I'm using mtree(8) for
> checking files integrity and it is a very good tool for such job.
>
> --Andy

So say I wanted to check if an existing system of mine has been 
compromised.  I already know that chkrootkit is returning nothing, but 
that's returning nothing with no source to compare to, so obviously 
there's the potential there for error.

Should I compile world in /usr/src and use chkrootkit with a basedir of 
the compiled binaries?  Or should I use mtree, and if so, suggestions on 
best ways?