Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Feb 2001 03:22:22 -0600
From:      "R . Munden" <orbitmaster@netorbit.com>
To:        freebsd-questions@freebsd.org
Subject:   looks like the hackers found me
Message-ID:  <20010212032222.I2340@ripper>
In-Reply-To: <20010212075906.A2C1A9883@bruiser.netorbit.com>; from root@netorbit.com on Mon, Feb 12, 2001 at 01:59:06 -0600
References:  <20010212075906.A2C1A9883@bruiser.netorbit.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
..what do you think?  I was having alot of problems with BIND earlier
today and yesterday.



On 2001.02.12 01:59:06 -0600 Charlie Root wrote:
checking setuid files and devices:
Bus error - core dumped
Bus error - core dumped
Bus error - core dumped
Bus error - core dumped
cmp: EOF on /var/run/_secure.11658


bruiser.XXX.com setuid diffs:
1,77d0
< 109319 -r-xr-sr-x  1 root  operator   56964 Sep 25 19:01:23 2000 /bin/df
< 109332 -r-sr-xr-x  1 root  wheel     319336 Sep 25 19:06:43 2000 /bin/rcp
<  54669 -r-xr-sr-x  1 root  kmem       62800 Sep 25 19:02:38 2000
/sbin/ccdconfig
<  54675 -r-xr-sr-x  1 root  kmem       69520 Sep 25 19:02:39 2000
/sbin/dmesg
<  54738 -r-xr-sr-x  2 root  tty       331240 Sep 25 19:07:14 2000
/sbin/dump
<  54714 -r-sr-xr-x  1 root  wheel     195604 Sep 25 19:02:46 2000
/sbin/ping
<  54715 -r-sr-xr-x  1 root  bin       190832 Sep 25 19:02:46 2000
/sbin/ping6
<  54738 -r-xr-sr-x  2 root  tty       331240 Sep 25 19:07:14 2000
/sbin/rdump
<  54676 -r-xr-sr-x  2 root  tty       358072 Sep 25 19:07:16 2000
/sbin/restore
<  54719 -r-sr-xr-x  1 root  wheel     191680 Sep 25 19:02:47 2000
/sbin/route
<  54676 -r-xr-sr-x  2 root  tty       358072 Sep 25 19:07:16 2000
/sbin/rrestore
<  54724 -r-sr-x---  1 root  operator  164524 Sep 25 19:02:48 2000
/sbin/shutdown
< 7972 -r-sr-xr-x  4 root  wheel  19324 Sep 25 19:03:23 2000 /usr/bin/at
< 7972 -r-sr-xr-x  4 root  wheel  19324 Sep 25 19:03:23 2000 /usr/bin/atq
< 7972 -r-sr-xr-x  4 root  wheel  19324 Sep 25 19:03:23 2000 /usr/bin/atrm
< 7972 -r-sr-xr-x  4 root  wheel  19324 Sep 25 19:03:23 2000 /usr/bin/batch
< 7985 -r-sr-xr-x  6 root  wheel  31972 Sep 25 19:03:25 2000 /usr/bin/chfn
< 7985 -r-sr-xr-x  6 root  wheel  31972 Sep 25 19:03:25 2000
/usr/bin/chpass
< 7985 -r-sr-xr-x  6 root  wheel  31972 Sep 25 19:03:25 2000 /usr/bin/chsh
<   8178 -r-sr-xr-x  1 root  wheel    23912 Sep 25 19:03:54 2000
/usr/bin/crontab
<   7873 -r-sr-sr-x  1 uucp  dialer    123456 Sep 25 19:01:44 2000
/usr/bin/cu
< 8012 -r-xr-sr-x  1 root  kmem   12900 Sep 25 19:03:28 2000 /usr/bin/fstat
< 8027 -r-xr-sr-x  1 root  kmem    9624 Sep 25 19:03:30 2000 /usr/bin/ipcs
< 8033 -r-sr-xr-x  1 root  wheel    510 Sep 25 19:03:31 2000
/usr/bin/keyinfo
< 8034 -r-sr-xr-x  1 root  wheel   7232 Sep 25 19:03:31 2000
/usr/bin/keyinit
< 8051 -r-sr-xr-x  1 root  wheel   6792 Sep 25 19:03:33 2000 /usr/bin/lock
< 8054 -r-sr-xr-x  1 root  wheel  19556 Sep 25 19:07:07 2000 /usr/bin/login
<   8183 -r-sr-sr-x  1 root  daemon   19796 Sep 25 19:04:14 2000
/usr/bin/lpq
<   8184 -r-sr-sr-x  1 root  daemon   22996 Sep 25 19:04:14 2000
/usr/bin/lpr
<   8185 -r-sr-sr-x  1 root  daemon   19132 Sep 25 19:04:15 2000
/usr/bin/lprm
<   7925 -r-sr-xr-x  1 man   wheel      28304 Sep 25 19:02:06 2000
/usr/bin/man
< 8073 -r-xr-sr-x  1 root  kmem   84768 Sep 25 19:03:35 2000
/usr/bin/netstat
< 8075 -r-xr-sr-x  1 root  kmem    9660 Sep 25 19:03:35 2000
/usr/bin/nfsstat
< 8201 -r-sr-xr-x  2 root  wheel  31008 Sep 25 19:07:10 2000
/usr/bin/passwd
<   8088 -r-sr-xr-x  1 root  wheel    10232 Sep 25 19:03:37 2000
/usr/bin/quota
<   8084 -r-sr-xr-x  1 root  wheel    17744 Sep 25 19:07:11 2000
/usr/bin/rlogin
<   8092 -r-sr-xr-x  1 root  wheel    14960 Sep 25 19:07:12 2000
/usr/bin/rsh
<   8206 -r-sr-xr-x  2 root  wheel   170444 Sep 25 19:10:27 2000
/usr/bin/slogin
<   7954 -r-s--x--x  2 root  wheel      50544 Sep 25 19:02:23 2000
/usr/bin/sperl5.00503
<   8206 -r-sr-xr-x  2 root  wheel   170444 Sep 25 19:10:27 2000
/usr/bin/ssh
<   8096 -r-sr-xr-x  1 root  wheel    11996 Sep 25 19:07:12 2000
/usr/bin/su
<   7954 -r-s--x--x  2 root  wheel      50544 Sep 25 19:02:23 2000
/usr/bin/suidperl
<   8111 -r-xr-sr-x  1 root  kmem     56648 Sep 25 19:03:41 2000
/usr/bin/systat
<   8119 -r-xr-sr-x  1 root  kmem     32104 Sep 25 19:03:42 2000
/usr/bin/top
<   7874 -r-sr-xr-x  1 uucp  wheel      87984 Sep 25 19:01:44 2000
/usr/bin/uucp
<   7876 -r-sr-xr-x  1 uucp  wheel      37100 Sep 25 19:01:45 2000
/usr/bin/uuname
<   7879 -r-sr-sr-x  1 uucp  dialer     96540 Sep 25 19:01:45 2000
/usr/bin/uustat
<   7881 -r-sr-xr-x  1 uucp  wheel      88600 Sep 25 19:01:45 2000
/usr/bin/uux
<   8144 -r-xr-sr-x  1 root  kmem     16392 Sep 25 19:03:44 2000
/usr/bin/vmstat
<   8146 -r-xr-sr-x  1 root  tty       8796 Sep 25 19:03:45 2000
/usr/bin/wall
<   8154 -r-xr-sr-x  1 root  tty       7288 Sep 25 19:03:45 2000
/usr/bin/write
< 7985 -r-sr-xr-x  6 root  wheel  31972 Sep 25 19:03:25 2000
/usr/bin/ypchfn
< 7985 -r-sr-xr-x  6 root  wheel  31972 Sep 25 19:03:25 2000
/usr/bin/ypchpass
< 7985 -r-sr-xr-x  6 root  wheel  31972 Sep 25 19:03:25 2000
/usr/bin/ypchsh
< 8201 -r-sr-xr-x  2 root  wheel  31008 Sep 25 19:07:10 2000
/usr/bin/yppasswd
< 582565 -r-sr-xr-x  1 root  wheel    20360 Sep 25 19:02:36 2000
/usr/libexec/mail.local
< 621892 -r-sr-xr-x  1 root  wheel   376128 Sep 25 19:04:16 2000
/usr/libexec/sendmail/sendmail
< 637634 -r-sr-sr-x  1 uucp  dialer  220460 Sep 25 19:01:44 2000
/usr/libexec/uucp/uucico
< 637635 -r-sr-s---  1 uucp  uucp     99340 Sep 25 19:01:45 2000
/usr/libexec/uucp/uuxqt
< 213406 -r-sr-xr-x  1 root  staff    21483 Sep 22 04:22:55 2000
/usr/local/bin/bing
<  87456 -rwx--s--x  1 bin   dialer    92308 Sep 22 06:55:37 2000
/usr/local/bin/yaps
< 244895 -rwsr-xr-x  1 root  wheel     15484 Sep 22 04:28:21 2000
/usr/local/sbin/queso
< 465296 -rwsr-xr-x  1 root  wheel     10344 Sep 22 03:53:52 2000
/usr/local/sbin/tmetric
< 661312 -r-xr-sr-x  1 root  kmem       4456 Sep 25 19:03:55 2000
/usr/sbin/ifmcstat
< 661314 -r-xr-sr-x  1 root  kmem      10116 Sep 25 19:03:55 2000
/usr/sbin/iostat
< 661426 -r-xr-sr-x  1 root  daemon    26784 Sep 25 19:04:14 2000
/usr/sbin/lpc
< 661332 -r-sr-xr-x  1 root  wheel     16136 Sep 25 19:03:58 2000
/usr/sbin/mrinfo
< 661334 -r-sr-xr-x  1 root  wheel     29752 Sep 25 19:03:58 2000
/usr/sbin/mtrace
< 661469 -r-sr-xr--  1 root  network  283964 Sep 25 19:04:04 2000
/usr/sbin/ppp
< 661470 -r-sr-xr-x  1 root  wheel     96080 Sep 25 19:04:04 2000
/usr/sbin/pppd
< 661368 -r-xr-sr-x  2 root  kmem      14368 Sep 25 19:04:05 2000
/usr/sbin/pstat
< 661390 -r-sr-x---  1 root  network   10776 Sep 25 19:04:07 2000
/usr/sbin/sliplogin
< 661368 -r-xr-sr-x  2 root  kmem      14368 Sep 25 19:04:05 2000
/usr/sbin/swapinfo
< 661398 -r-sr-xr-x  1 root  wheel     14900 Sep 25 19:04:11 2000
/usr/sbin/timedc
< 661399 -r-sr-xr-x  1 root  wheel     12924 Sep 25 19:04:11 2000
/usr/sbin/traceroute
< 661400 -r-sr-xr-x  1 root  bin       14776 Sep 25 19:04:11 2000
/usr/sbin/traceroute6
< 661401 -r-xr-sr-x  1 root  kmem       7832 Sep 25 19:04:11 2000
/usr/sbin/trpt


checking for uids of 0:
root 0
toor 0


checking for passwordless accounts:


bruiser.XXXX.com kernel log messages:
> pid 166 (find), uid 0: exited on signal 10 (core dumped)
> pid 167 (find), uid 0: exited on signal 10 (core dumped)
> pid 190 (find), uid 0: exited on signal 10 (core dumped)
> pid 262 (find), uid 0: exited on signal 10 (core dumped)
> xl0: promiscuous mode enabled
> xl0: promiscuous mode disabled
> xl0: promiscuous mode enabled
> xl0: promiscuous mode disabled
> pid 423 (find), uid 0: exited on signal 10 (core dumped)
> pid 424 (find), uid 0: exited on signal 10 (core dumped)
> pid 439 (find), uid 0: exited on signal 10 (core dumped)
> pid 450 (find), uid 0: exited on signal 10 (core dumped)
> pid 1215 (find), uid 0: exited on signal 10 (core dumped)
> pid 1216 (find), uid 0: exited on signal 10 (core dumped)
> pid 1231 (find), uid 0: exited on signal 10 (core dumped)
> pid 1286 (find), uid 0: exited on signal 10 (core dumped)
> pid 1287 (find), uid 0: exited on signal 10 (core dumped)
> pid 1302 (find), uid 0: exited on signal 10 (core dumped)
> pid 1313 (find), uid 0: exited on signal 10 (core dumped)
> pid 1343 (ftpd), uid 1000: exited on signal 10
> pid 1344 (ftpd), uid 1000: exited on signal 10
> pid 1682 (ftpd), uid 1000: exited on signal 10
> pid 1683 (ftpd), uid 1000: exited on signal 10
> pid 1734 (ftpd), uid 1000: exited on signal 10
> pid 1756 (ftpd), uid 1000: exited on signal 10
> pid 11078 (find), uid 0: exited on signal 10 (core dumped)
> pid 11423 (find), uid 0: exited on signal 10 (core dumped)
> pid 11456 (find), uid 0: exited on signal 10 (core dumped)
> pid 11672 (find), uid 0: exited on signal 10 (core dumped)
> pid 11674 (find), uid 0: exited on signal 10 (core dumped)
> pid 11676 (find), uid 0: exited on signal 10 (core dumped)
> pid 11678 (find), uid 0: exited on signal 10 (core dumped)


bruiser.XXXX.com login failures:


bruiser.XXXX.com refused connections:




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010212032222.I2340>