From owner-freebsd-questions  Thu Oct 18  6:35:19 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.98.60])
	by hub.freebsd.org (Postfix) with ESMTP id E37B537B405
	for <freebsd-questions@FreeBSD.ORG>; Thu, 18 Oct 2001 06:35:14 -0700 (PDT)
Received: from localhost (kheuer@localhost)
	by gwdu60.gwdg.de (8.11.3/8.9.3) with ESMTP id f9IDZ8J37651;
	Thu, 18 Oct 2001 15:35:08 +0200 (CEST)
	(envelope-from kheuer@gwdu60.gwdg.de)
Date: Thu, 18 Oct 2001 15:35:08 +0200 (CEST)
From: Konrad Heuer <kheuer@gwdu60.gwdg.de>
To: Tomek <tomek@mpionline.com>
Cc: <freebsd-questions@FreeBSD.ORG>
Subject: Re: I got hacked, I think
In-Reply-To: <011e01c157cf$9b401700$f6f073d1@mpionline.com>
Message-ID: <20011018152518.G37610-100000@gwdu60.gwdg.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


On Thu, 18 Oct 2001, Tomek wrote:

> Hope I dont sound like a fool posting 2 seperate problems in the same
> day. But while looking for the first problem I found many unusual
> things. I will try to keep it to the point to not waste anyone's time. I
> appreciate ANY help.
>
> =3D=3D=3DWHAT I FOUND (quick snips)=3D=3D=3D
>
> (...)
>
> Is it normal for /var/log/security to be empty?

Yes, it may usually be empty.

> Is it normal to have lots of entries in setuid.today (ie: is it caused
> by general server activity)?

No; in normal operation, the files /var/log/setuid.today and
/var/log/setuid.today should not differ very much; the system
administrator should usually know when entries may change.

> Any suggestions of what logs/places I should check next to find out WHAT
> has been done to my system and what it was used for? (ie: a connection
> log to see when this hacker was connecting, if it exists).
> Any other help.

I suggest (used this by myself) to place some entries in /etc/hosts.allow
for ftp, telnet, ssh etc. which log any access; below you find an example
I used to log telnet requests (in reality, this is *one* line, not two
lines):

telnetd : ALL : spawn ( /bin/date >> /var/log/telnetd.log && /bin/echo
"telnet session request from %c" >> /var/log/telnetd.log ) : allow

Best regards
Konrad

Konrad Heuer                                    Personal Bookmarks:
Gesellschaft f=FCr wissenschaftliche
   Datenverarbeitung mbH G=D6ttingen              http://www.freebsd.org
Am Fa=DFberg, D-37077 G=D6ttingen                   http://www.daemonnews.o=
rg
Deutschland (Germany)

kheuer@gwdu60.gwdg.de


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message