From owner-freebsd-questions Thu Oct 18 5:22:16 2001 Delivered-To: freebsd-questions@freebsd.org Received: from P7.mpionline.com (dsl-mw-209-115-240-i249-edm.nucleus.com [209.115.240.249]) by hub.freebsd.org (Postfix) with ESMTP id 1C5F937B403 for ; Thu, 18 Oct 2001 05:22:10 -0700 (PDT) Received: from P5 (P5.mpionline.com [209.115.240.246]) by P7.mpionline.com (8.11.3/8.11.3) with SMTP id f9ICNtD03207 for ; Thu, 18 Oct 2001 06:23:55 -0600 (MDT) (envelope-from tomek@mpionline.com) Message-ID: <011e01c157cf$9b401700$f6f073d1@mpionline.com> From: "Tomek" To: References: <20011018131823.Y621-100000@jodie.ncptiddische.net> Subject: I got hacked, I think Date: Thu, 18 Oct 2001 06:22:51 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello there, Hope I dont sound like a fool posting 2 seperate problems in the same day. But while looking for the first problem I found many unusual things. I will try to keep it to the point to not waste anyone's time. I appreciate ANY help. ===WHAT I FOUND (quick snips)=== =IN /etc/passwd: l-x:*:1003:0:User &:/home/l-x:/bin/sh =IN /etc/master.passwd: l-x:$4$(snip):1003:0::0:0:User &:/home/l-x:/bin/sh =IN /var/log/userlog: 2001-10-06 14:00:17 [unknown:useradd] l-x(1003):wheel(0):User &:/home/l-x:/bin/sh =NOTE: my crashing/rebooting problem mentioned earlier started on 9/9/01 =NOTE: "adduser" log shows nothing =IN security summary for 9/20/01: (I found it bizarre) P7.mpionline.com kernel log messages: > CPU: Pentium III/Pentium III Xeon/Celeron (701.59-MHz 686-class CPU) =IN security summary for 9/27/01: 58c58 < 2539603 -r-xr-sr-x 1 bin mail 26292 Apr 19 13:11:11 2001 /usr/local/libexec/cucipop > 2539603 -r-xr-sr-x 1 bin mail 26292 Apr 19 13:11:11 2001 /usr/local/bin/bzcat =IN security summary for 10/06/01: 58a59 > 2547533 ---s--x--x 1 Broot wheel 83004 Sep 26 21:42:25 2001 /usr/local/bin/sudo =IN /var/log/messages: messages:Oct 6 14:01:00 P7 login: LOGIN l-x REFUSED (ACCESS) FROM 212.199.120.9 8 ON TTY ttyp0 messages:Oct 6 14:01:21 P7 login: LOGIN l-x REFUSED (ACCESS) FROM 212.199.120.9 8 ON TTY ttyp0 =IN setuid.today I see a LOT of entries, even though I haven't been doing anything. For example: 4515661 -rwsr-xr-x 1 Broot news 7347 Apr 18 20:45:13 2001 /usr/local/news /bin/auth/passwd/ckpasswd 4150643 -r-sr-x--- 1 Broot news 32202 Apr 18 20:44:09 2001 /usr/local/news /bin/inndstart =NOTE: I found my my /var/log/security EMPTY =VERSION: FreeBSD 4.3-RELEASE (GENERIC) #0: Sat Apr 21 10:54:49 GMT 2001 ===COMMENTS=== I know I was NOT doing anything on 09/27/01, 10/06/01 or any of the days in question, so I know it wasn't me. I do not allow ANY accounts on our server other than my own, and I do not use passwords that I use anywhere else. ===QUESTIONS=== Forgive me if this is overwhelming, I have no idea what else to do but ask questions. I have browsed around the usual resources but I am asking these question in context of above, not in general really. Is it normal for /var/log/security to be empty? Is it normal to have lots of entries in setuid.today (ie: is it caused by general server activity)? Any suggestions of what logs/places I should check next to find out WHAT has been done to my system and what it was used for? (ie: a connection log to see when this hacker was connecting, if it exists). Any other help. TY EVERYONE WHO HELPS, I really and truly appreciate this in my moment of panic. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message