From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 13 22:53:57 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B847816A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Apr 2004 22:53:57 -0700 (PDT)
Received: from p1028-ipbffx02marunouchi.tokyo.ocn.ne.jp
	(p1028-ipbffx02marunouchi.tokyo.ocn.ne.jp [220.111.132.28])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2ECFA43D41
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Apr 2004 22:53:56 -0700 (PDT)
	(envelope-from lukek@meibin.net)
Received: (qmail 17654 invoked by uid 89); 14 Apr 2004 05:53:54 -0000
Received: from unknown (HELO ?127.0.0.1?) (192.168.10.35)
  by 192.168.20.5 with SMTP; 14 Apr 2004 05:53:54 -0000
Date: Wed, 14 Apr 2004 14:47:18 +0900
From: Luke Kearney <lukek@meibin.net>
To: "dave" <dmehler26@woh.rr.com>
In-Reply-To: <000001c421de$6c67ba10$0200a8c0@satellite>
References: <000001c421de$6c67ba10$0200a8c0@satellite>
Message-Id: <20040414144409.F3F8.LUKEK@meibin.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver. 2.08.01 [en]
cc: freebsd-questions@freebsd.org
Subject: Re: have i been hacked?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2004 05:53:57 -0000


On Wed, 14 Apr 2004 00:51:06 -0400
"dave" <dmehler26@woh.rr.com> granted us these pearls of wisdom:

> Hello,
>     Wondering if a system on my network has been hacked? At approx 12:30
> this evening the hard disk went crazy, i have been out of town lately and
> have not checked any of the machines, when i did the CPU usage was at 15%
> which on this machine it never gets above 1 maybe 1.5. So i looked, and i
> had nearly 150 processes on the box, 9 running. When i got the daily run
> output i noticed the setuid files have changed. Wondering if this box got
> hacked and if so where to look to confirm this? And if so, what to do?
> Thanks.
> Dave.
> 
> 
> Checking setuid files and devices:
> ls: Terminated
> : No such file or directory
> 
> guardian.davemehler.net setuid diffs:
> 1,52d0
> < 94240 -r-sr-xr-x  1 root  wheel     448384 Jun  4 21:54:47 2003 /bin/rcp
> < 117807 -r-sr-x---  1 root  operator  421832 Jun  4 21:55:39 2003
> /sbin/mksnap_ffs
> < 117826 -r-sr-xr-x  1 root  wheel     451668 Jun  4 21:55:43 2003
> /sbin/ping
> < 117827 -r-sr-xr-x  1 root  wheel     463444 Jun  4 21:55:43 2003
> /sbin/ping6
> < 117839 -r-sr-x---  1 root  operator  431052 Jun  4 21:55:46 2003
> /sbin/shutdown
> < 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
> /usr/bin/at
> < 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
> /usr/bin/atq
> < 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
> /usr/bin/atrm
> < 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
> /usr/bin/batch
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/chfn
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/chpass
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/chsh
> < 94553 -r-sr-xr-x  1 root  wheel    27072 Jun  4 21:56:56 2003
> /usr/bin/crontab
> < 94384 -r-xr-sr-x  1 root  kmem       15416 Jun  4 21:56:35 2003
> /usr/bin/fstat
> < 94419 -r-sr-xr-x  1 root  wheel       7804 Jun  4 21:56:39 2003
> /usr/bin/lock
> < 94422 -r-sr-xr-x  1 root  wheel      18944 Jun  4 21:56:39 2003
> /usr/bin/login
> < 94560 -r-sr-sr-x  1 root  daemon   25344 Jun  4 21:57:13 2003
> /usr/bin/lpq.bak
> < 94561 -r-sr-sr-x  1 root  daemon   29216 Jun  4 21:57:14 2003
> /usr/bin/lpr.bak
> < 94562 -r-sr-sr-x  1 root  daemon   24108 Jun  4 21:57:14 2003
> /usr/bin/lprm.bak
> < 94441 -r-xr-sr-x  1 root  kmem      100776 Jun  4 21:56:41 2003
> /usr/bin/netstat
> < 94448 -r-sr-xr-x  1 root  wheel       4452 Jun  4 21:56:41 2003
> /usr/bin/opieinfo
> < 94450 -r-sr-xr-x  1 root  wheel    11612 Jun  4 21:56:42 2003
> /usr/bin/opiepasswd
> < 94452 -r-sr-xr-x  2 root  wheel     5920 Jun  4 21:56:42 2003
> /usr/bin/passwd
> < 94458 -r-sr-xr-x  1 root  wheel    11584 Jun  4 21:56:42 2003
> /usr/bin/quota
> < 94461 -r-sr-xr-x  1 root  wheel    11008 Jun  4 21:56:42 2003
> /usr/bin/rlogin
> < 94465 -r-sr-xr-x  1 root  wheel     8564 Jun  4 21:56:43 2003 /usr/bin/rsh
> < 94478 -r-sr-xr-x  1 root  wheel    12308 Jun  4 21:56:44 2003 /usr/bin/su
> < 94517 -r-xr-sr-x  1 root  kmem     15532 Jun  4 21:56:48 2003
> /usr/bin/vmstat
> < 94519 -r-xr-sr-x  1 root  tty      10516 Jun  4 21:56:48 2003
> /usr/bin/wall
> < 94527 -r-xr-sr-x  1 root  tty       8100 Jun  4 21:56:49 2003
> /usr/bin/write
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/ypchfn
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/ypchpass
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/ypchsh
> < 94452 -r-sr-xr-x  2 root  wheel     5920 Jun  4 21:56:42 2003
> /usr/bin/yppasswd
> < 96169 -r-sr-xr-x  1 root  wheel     3540 Jun  4 21:55:29 2003
> /usr/libexec/pt_chown
> < 96150 -r-xr-sr-x  1 root  smmsp   629176 Jun  4 21:57:15 2003
> /usr/libexec/sendmail/sendmail
> < 108075 -rwsr-xr-x  1 root  daemon    8624 Dec 21 18:00:36 2003
> /usr/local/bin/lppasswd
> < 73521 -rwsr-xr-x  1 root  wheel   285508 May 23 09:27:21 2003
> /usr/local/bin/screen
> < 72487 -rws--x--x  1 root  wheel   741976 May 23 11:00:24 2003
> /usr/local/bin/sperl5.6.1
> < 78399 ---s--x--x  1 root  wheel    86484 May 23 11:56:11 2003
> /usr/local/bin/sudo
> < 77227 -rwxr-sr-x  1 root  maildrop  108333 Aug 25 02:17:22 2003
> /usr/local/sbin/postdrop
> < 77253 -rwxr-sr-x  1 root  maildrop   97362 Aug 25 02:17:23 2003
> /usr/local/sbin/postqueue
> < 96371 -r-xr-sr-x  1 root  daemon     45704 Jun  4 21:57:13 2003
> /usr/sbin/lpc
> < 96274 -r-sr-xr-x  1 root  wheel      22448 Jun  4 21:57:00 2003
> /usr/sbin/mrinfo
> < 96276 -r-sr-xr-x  1 root  wheel      31956 Jun  4 21:57:00 2003
> /usr/sbin/mtrace
> < 96418 -r-sr-xr--  1 root  network   367336 Jun  4 21:57:04 2003
> /usr/sbin/ppp
> < 96419 -r-sr-x---  1 root  dialer    106692 Jun  4 21:57:05 2003
> /usr/sbin/pppd
> < 96328 -r-sr-x---  1 root  network    14516 Jun  4 21:57:07 2003
> /usr/sbin/sliplogin
> < 96337 -r-sr-xr-x  1 root  wheel      16288 Jun  4 21:57:09 2003
> /usr/sbin/timedc
> < 96338 -r-sr-xr-x  1 root  wheel      23392 Jun  4 21:57:09 2003
> /usr/sbin/traceroute
> < 96339 -r-sr-xr-x  1 root  wheel      16788 Jun  4 21:57:09 2003
> /usr/sbin/traceroute6
> < 96340 -r-xr-sr-x  1 root  kmem        8512 Jun  4 21:57:09 2003
> /usr/sbin/trpt
> mv: rename /var/log/setuid.today to /var/log/setuid.yesterday: No such file
> or directory
> 
> Checking for uids of 0:
> root 0
> toor 0
> 
> Checking for passwordless accounts:
> 
> guardian.davemehler.net login failures:
> 
> guardian.davemehler.net refused connections:
> 
> -- End of security output --

Hi,
My first suggestion is to have a look at what services are running that
shouldn't be. A hacked box is not much use to anyone if they cannot use
it.  Try sockstat -4 and see if there are unusual ( unusual for this box )
services running such as iirc related services. Take a look at your mail
logs and see if there is unusual mail traffic.

If the attacker is still logged in ( probably unlikely ) you might get a
hint from netstat -NA |grep ESTABLISHED 

HTH

LukeK