hacker.org

If anyone places files on my system. Is there anyway to detect what files where placed on my system. Also is there a track left on ISP or something that traces back to the person who placed files on my system.

Appreciate any input regarding these questions. Thanks,

Any answers?????

You'll need to be more specific.

malachi wrote:You'll need to be more specific.

I am not sure myself. I just wanted to know if someone got access to my machine and downloaded some files, is there a way to identify if these files were not downloaded by me but someone else. If we look at the ISP logs, can we identify the people who downloaded these files on my machine.
May be this is off topic but recently a website that I am working for a company was hacked. They could trace the server to amazon cloud and I believe amazon did not want to pursue further. If this was a serious threat do you think amazon could trace the real hacker.

OK let me try and reformulate your question based on the details you've provided, and my guesses filling in details that you still haven't provided:

"Assume someone has gained access to a unix-like (unix/linux/bsd/etc) computer via a remote connection, and through this connection, may or may not have downloaded or modified some files. Is there any way for me, an authorized user, to see if he did indeed download any files, and if so, which files those are?"

The short answer is "maybe, sort of". Assuming that the attacker gained access to a valid shell account, there's nothing that will differentiate his actions from legitimate actions. However, here is what you can do:

1) find out when the attack happened:
Use the "last" command. This will tell you who logged in, when, and from where. Look for the connection that came from somewhere unusual, and see what times the user was logged in for.
2) find all files modified during this timespan:
You can do this using the "find" command. Read the manual page for more details on how to do this (accessible via "man find" or http://unixhelp.ed.ac.uk/CGI/man-cgi?find)

Also, step 1) above will tell you what user the attacker logged in as. Check that user's ~/.bash_history file. This file, assuming the attacker did not clear it, will contain a "history" of the commands the attacker typed into the terminal, and can be helpful in uncovering what the attacker did.

Final note: if the attacker gained root access, you MUST reformat/reinstall the system, or at least replace the kernel and all system binaries from backups known to be clean. It is the only way to make sure you don't have any backdoors left open in your system

Best of luck! Let us know what you find

If you do have the ISP of the person who did it, there are several ISP translators on the internet that can tell you the what/who/where of the address.... that is, assuming they weren't smart enough to use a proxy...

ISP ≠ IP + IPs change for most people each time their gateway is restarted.