find / -user root -perm -4000 -printThe results of this command are printed on the screen. All paths are checked starting at /, including all mounted directories. A great number of files will be found. It is up to you to scan these files for any unusual names. One possibility is to direct the output of this program to a file soon after installation and compare the results with later outputs. If this command reports any unusual files, investigate them immediately.
A suspicious file might turn up like this:
-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at -r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab -r-sr-xr-x 1 root bin 27748 Aug 10 16:16 /usr/bin/shl ---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct -r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin -r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched ---s--x--- 1 root user 45376 Aug 18 15:11 /usr/jbond/bin/sh -r-sr-xr-x 1 root sys 11416 Aug 11 01:26 /bin/mkdir -r-sr-xr-x 1 root sys 11804 Aug 11 01:26 /bin/rmdir -r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /bin/df -rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /bin/newgrp -r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /bin/passwd -r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /bin/suIn this example, the user jbond has a personal copy of /bin/sh and has made it set-UID to root. This means that anyone in the group user can execute /usr/jbond/bin/sh and become the superuser.