If a patch's subdirectory was created under the 8i ORACLE_HOME and the patch was installed from there, you should see a file called undo_pre3821967_220.127.116.11.0.sh which is created by the patch for backout purposes (on UNIX). If, on the other hand, the patch was applied from a central location across all servers, it might be more difficult to prove that the patch was applied.
With Oracle9i, however, the patch would have been installed with the opatch utility. You can use the opatch utility to list the installed patches. Set your environment to a 9i database on the server, navigate to where the opatch utility is installed (or include it in your path) and type:
This will read the inventory and list any patches that were installed. If security alert #68 was installed, you should see lines similar to this in the output (this example is from Solaris):
Installed Patch List: ===================== 1) Patch 3811887 applied on Thu Oct 14 12:43:51 MDT 2004 [ Base Bug(s): 3828166 3811887 ]
Also, with Oracle9i, you can look in $ORACLE_HOME/.patch_storage for log files. If this hidden directory (.patch_storage) was created prior to applying the patch, opatch would have sent all log files to this subdirectory by default.
This was first published in July 2005