Date: Fri, 09 May 2003 08:40:34 -0500 From: Peter Elsner <peter@servplex.com> To: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Hacked? Message-ID: <5.2.0.9.2.20030509083519.01813eb8@mail.servplex.com>
next in thread | raw e-mail | index | archive | help
This morning, I noticed in my security email, that my entire /usr/bin directory had setuid diff's set on them. I think I've been hacked. So I installed chkrootkit from ports and ran it. It showed not infected for everything, except NETSTAT. NETSTAT showed infected... I ran chkrootkit for another machine (at my office), and it showed not infected for everything. Both machines are running 4.7-STABLE. I can re-install and restore my data, that's not a problem, but I am a little confused... When listing any directories, I see the following: drwxr-xr-x 3 root wheel 18944 f 16:35 dev drwxr-xr-x 2 root wheel 512 f 2002 dist drwxr-xr-x 17 root wheel 4608 f 08:35 etc lrwxr-xr-x 1 root wheel 9 f 2002 home -> /usr/home -r-xr-xr-x 1 root wheel 2326346 f 06:51 kernel -r-xr-xr-x 1 root wheel 3258128 f 2000 kernel.GENERIC -r-xr-xr-x 1 root wheel 2301572 f 2002 kernel.old drwxrwxrwx 2 root wheel 512 f 2002 lib drwxrwxrwx 3 root wheel 512 f 2002 log lrwxr-xr-x 1 root wheel 19 f 2002 logfiles -> /usr/local/www/logs drwxr-xr-x 2 root wheel 512 f 2000 mnt drwxr-xr-x 2 root wheel 4096 f 06:52 modules drwxr-xr-x 2 root wheel 4096 f 06:51 modules.old drwxr-xr-x 2 root wheel 512 f 2002 old dr-xr-xr-x 1 root wheel 512 f 08:37 proc drwxrwxrwx 2 root wheel 512 f 18:58 ris_datalogs drwxr-xr-x 4 root wheel 512 f 2002 root drwxr-xr-x 2 root wheel 2048 f 04:36 sbin drwxr-xr-x 5 root wheel 1024 f 2002 stand lrwxr-xr-x 1 root wheel 11 f 18:04 sys -> usr/src/sys drwxrwxrwt 4 root wheel 512 f 08:36 tmp drwxr-xr-x 19 root wheel 512 f 2002 usr drwxr-xr-x 22 root wheel 512 f 2002 var lrwxr-xr-x 1 root wheel 19 f 2002 www -> /usr/local/www/data Notice the f in place of the date? What does that mean? Does it look like I've been hacked? I've already changed all my passwords. Any insight on the f in the date would be appreciated. Thanks in advance Peter ---------------------------------------------------------------------------------------------------------- Peter Elsner <peter@servplex.com> Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.2.20030509083519.01813eb8>