From owner-freebsd-security@FreeBSD.ORG Fri May 9 06:40:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DB6437B404; Fri, 9 May 2003 06:40:46 -0700 (PDT) Received: from spxgate.servplex.com (ip66-105-58-82.z58-105-66.customer.algx.net [66.105.58.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4956D43F75; Fri, 9 May 2003 06:40:36 -0700 (PDT) (envelope-from peter@servplex.com) Received: from peter.servplex.com ([192.168.0.10]) by spxgate.servplex.com (8.12.8/8.12.6) with ESMTP id h49DpPIM092280; Fri, 9 May 2003 08:51:25 -0500 (CDT) (envelope-from peter@servplex.com) Message-Id: <5.2.0.9.2.20030509083519.01813eb8@mail.servplex.com> X-Sender: peter@mail.servplex.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Fri, 09 May 2003 08:40:34 -0500 To: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG From: Peter Elsner Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 13:40:46 -0000 This morning, I noticed in my security email, that my entire /usr/bin directory had setuid diff's set on them. I think I've been hacked. So I installed chkrootkit from ports and ran it. It showed not infected for everything, except NETSTAT. NETSTAT showed infected... I ran chkrootkit for another machine (at my office), and it showed not infected for everything. Both machines are running 4.7-STABLE. I can re-install and restore my data, that's not a problem, but I am a little confused... When listing any directories, I see the following: drwxr-xr-x 3 root wheel 18944 f 16:35 dev drwxr-xr-x 2 root wheel 512 f 2002 dist drwxr-xr-x 17 root wheel 4608 f 08:35 etc lrwxr-xr-x 1 root wheel 9 f 2002 home -> /usr/home -r-xr-xr-x 1 root wheel 2326346 f 06:51 kernel -r-xr-xr-x 1 root wheel 3258128 f 2000 kernel.GENERIC -r-xr-xr-x 1 root wheel 2301572 f 2002 kernel.old drwxrwxrwx 2 root wheel 512 f 2002 lib drwxrwxrwx 3 root wheel 512 f 2002 log lrwxr-xr-x 1 root wheel 19 f 2002 logfiles -> /usr/local/www/logs drwxr-xr-x 2 root wheel 512 f 2000 mnt drwxr-xr-x 2 root wheel 4096 f 06:52 modules drwxr-xr-x 2 root wheel 4096 f 06:51 modules.old drwxr-xr-x 2 root wheel 512 f 2002 old dr-xr-xr-x 1 root wheel 512 f 08:37 proc drwxrwxrwx 2 root wheel 512 f 18:58 ris_datalogs drwxr-xr-x 4 root wheel 512 f 2002 root drwxr-xr-x 2 root wheel 2048 f 04:36 sbin drwxr-xr-x 5 root wheel 1024 f 2002 stand lrwxr-xr-x 1 root wheel 11 f 18:04 sys -> usr/src/sys drwxrwxrwt 4 root wheel 512 f 08:36 tmp drwxr-xr-x 19 root wheel 512 f 2002 usr drwxr-xr-x 22 root wheel 512 f 2002 var lrwxr-xr-x 1 root wheel 19 f 2002 www -> /usr/local/www/data Notice the f in place of the date? What does that mean? Does it look like I've been hacked? I've already changed all my passwords. Any insight on the f in the date would be appreciated. Thanks in advance Peter ---------------------------------------------------------------------------------------------------------- Peter Elsner Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE.