From owner-freebsd-questions Mon Feb 12 1:22:19 2001 Delivered-To: freebsd-questions@freebsd.org Received: from bruiser.netorbit.com (unknown [209.15.87.170]) by hub.freebsd.org (Postfix) with ESMTP id 58BBB37B401 for ; Mon, 12 Feb 2001 01:22:11 -0800 (PST) Received: from 192.168.70.253 (unknown [192.168.70.52]) by bruiser.netorbit.com (Postfix) with SMTP id 2ECEE9883 for ; Mon, 12 Feb 2001 03:22:16 -0600 (CST) Date: Mon, 12 Feb 2001 03:22:22 -0600 From: "R . Munden" To: freebsd-questions@freebsd.org Subject: looks like the hackers found me Message-ID: <20010212032222.I2340@ripper> References: <20010212075906.A2C1A9883@bruiser.netorbit.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit In-Reply-To: <20010212075906.A2C1A9883@bruiser.netorbit.com>; from root@netorbit.com on Mon, Feb 12, 2001 at 01:59:06 -0600 X-Mailer: Balsa 1.0.0 Content-Length: 8496 Lines: 208 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG ..what do you think? I was having alot of problems with BIND earlier today and yesterday. On 2001.02.12 01:59:06 -0600 Charlie Root wrote: checking setuid files and devices: Bus error - core dumped Bus error - core dumped Bus error - core dumped Bus error - core dumped cmp: EOF on /var/run/_secure.11658 bruiser.XXX.com setuid diffs: 1,77d0 < 109319 -r-xr-sr-x 1 root operator 56964 Sep 25 19:01:23 2000 /bin/df < 109332 -r-sr-xr-x 1 root wheel 319336 Sep 25 19:06:43 2000 /bin/rcp < 54669 -r-xr-sr-x 1 root kmem 62800 Sep 25 19:02:38 2000 /sbin/ccdconfig < 54675 -r-xr-sr-x 1 root kmem 69520 Sep 25 19:02:39 2000 /sbin/dmesg < 54738 -r-xr-sr-x 2 root tty 331240 Sep 25 19:07:14 2000 /sbin/dump < 54714 -r-sr-xr-x 1 root wheel 195604 Sep 25 19:02:46 2000 /sbin/ping < 54715 -r-sr-xr-x 1 root bin 190832 Sep 25 19:02:46 2000 /sbin/ping6 < 54738 -r-xr-sr-x 2 root tty 331240 Sep 25 19:07:14 2000 /sbin/rdump < 54676 -r-xr-sr-x 2 root tty 358072 Sep 25 19:07:16 2000 /sbin/restore < 54719 -r-sr-xr-x 1 root wheel 191680 Sep 25 19:02:47 2000 /sbin/route < 54676 -r-xr-sr-x 2 root tty 358072 Sep 25 19:07:16 2000 /sbin/rrestore < 54724 -r-sr-x--- 1 root operator 164524 Sep 25 19:02:48 2000 /sbin/shutdown < 7972 -r-sr-xr-x 4 root wheel 19324 Sep 25 19:03:23 2000 /usr/bin/at < 7972 -r-sr-xr-x 4 root wheel 19324 Sep 25 19:03:23 2000 /usr/bin/atq < 7972 -r-sr-xr-x 4 root wheel 19324 Sep 25 19:03:23 2000 /usr/bin/atrm < 7972 -r-sr-xr-x 4 root wheel 19324 Sep 25 19:03:23 2000 /usr/bin/batch < 7985 -r-sr-xr-x 6 root wheel 31972 Sep 25 19:03:25 2000 /usr/bin/chfn < 7985 -r-sr-xr-x 6 root wheel 31972 Sep 25 19:03:25 2000 /usr/bin/chpass < 7985 -r-sr-xr-x 6 root wheel 31972 Sep 25 19:03:25 2000 /usr/bin/chsh < 8178 -r-sr-xr-x 1 root wheel 23912 Sep 25 19:03:54 2000 /usr/bin/crontab < 7873 -r-sr-sr-x 1 uucp dialer 123456 Sep 25 19:01:44 2000 /usr/bin/cu < 8012 -r-xr-sr-x 1 root kmem 12900 Sep 25 19:03:28 2000 /usr/bin/fstat < 8027 -r-xr-sr-x 1 root kmem 9624 Sep 25 19:03:30 2000 /usr/bin/ipcs < 8033 -r-sr-xr-x 1 root wheel 510 Sep 25 19:03:31 2000 /usr/bin/keyinfo < 8034 -r-sr-xr-x 1 root wheel 7232 Sep 25 19:03:31 2000 /usr/bin/keyinit < 8051 -r-sr-xr-x 1 root wheel 6792 Sep 25 19:03:33 2000 /usr/bin/lock < 8054 -r-sr-xr-x 1 root wheel 19556 Sep 25 19:07:07 2000 /usr/bin/login < 8183 -r-sr-sr-x 1 root daemon 19796 Sep 25 19:04:14 2000 /usr/bin/lpq < 8184 -r-sr-sr-x 1 root daemon 22996 Sep 25 19:04:14 2000 /usr/bin/lpr < 8185 -r-sr-sr-x 1 root daemon 19132 Sep 25 19:04:15 2000 /usr/bin/lprm < 7925 -r-sr-xr-x 1 man wheel 28304 Sep 25 19:02:06 2000 /usr/bin/man < 8073 -r-xr-sr-x 1 root kmem 84768 Sep 25 19:03:35 2000 /usr/bin/netstat < 8075 -r-xr-sr-x 1 root kmem 9660 Sep 25 19:03:35 2000 /usr/bin/nfsstat < 8201 -r-sr-xr-x 2 root wheel 31008 Sep 25 19:07:10 2000 /usr/bin/passwd < 8088 -r-sr-xr-x 1 root wheel 10232 Sep 25 19:03:37 2000 /usr/bin/quota < 8084 -r-sr-xr-x 1 root wheel 17744 Sep 25 19:07:11 2000 /usr/bin/rlogin < 8092 -r-sr-xr-x 1 root wheel 14960 Sep 25 19:07:12 2000 /usr/bin/rsh < 8206 -r-sr-xr-x 2 root wheel 170444 Sep 25 19:10:27 2000 /usr/bin/slogin < 7954 -r-s--x--x 2 root wheel 50544 Sep 25 19:02:23 2000 /usr/bin/sperl5.00503 < 8206 -r-sr-xr-x 2 root wheel 170444 Sep 25 19:10:27 2000 /usr/bin/ssh < 8096 -r-sr-xr-x 1 root wheel 11996 Sep 25 19:07:12 2000 /usr/bin/su < 7954 -r-s--x--x 2 root wheel 50544 Sep 25 19:02:23 2000 /usr/bin/suidperl < 8111 -r-xr-sr-x 1 root kmem 56648 Sep 25 19:03:41 2000 /usr/bin/systat < 8119 -r-xr-sr-x 1 root kmem 32104 Sep 25 19:03:42 2000 /usr/bin/top < 7874 -r-sr-xr-x 1 uucp wheel 87984 Sep 25 19:01:44 2000 /usr/bin/uucp < 7876 -r-sr-xr-x 1 uucp wheel 37100 Sep 25 19:01:45 2000 /usr/bin/uuname < 7879 -r-sr-sr-x 1 uucp dialer 96540 Sep 25 19:01:45 2000 /usr/bin/uustat < 7881 -r-sr-xr-x 1 uucp wheel 88600 Sep 25 19:01:45 2000 /usr/bin/uux < 8144 -r-xr-sr-x 1 root kmem 16392 Sep 25 19:03:44 2000 /usr/bin/vmstat < 8146 -r-xr-sr-x 1 root tty 8796 Sep 25 19:03:45 2000 /usr/bin/wall < 8154 -r-xr-sr-x 1 root tty 7288 Sep 25 19:03:45 2000 /usr/bin/write < 7985 -r-sr-xr-x 6 root wheel 31972 Sep 25 19:03:25 2000 /usr/bin/ypchfn < 7985 -r-sr-xr-x 6 root wheel 31972 Sep 25 19:03:25 2000 /usr/bin/ypchpass < 7985 -r-sr-xr-x 6 root wheel 31972 Sep 25 19:03:25 2000 /usr/bin/ypchsh < 8201 -r-sr-xr-x 2 root wheel 31008 Sep 25 19:07:10 2000 /usr/bin/yppasswd < 582565 -r-sr-xr-x 1 root wheel 20360 Sep 25 19:02:36 2000 /usr/libexec/mail.local < 621892 -r-sr-xr-x 1 root wheel 376128 Sep 25 19:04:16 2000 /usr/libexec/sendmail/sendmail < 637634 -r-sr-sr-x 1 uucp dialer 220460 Sep 25 19:01:44 2000 /usr/libexec/uucp/uucico < 637635 -r-sr-s--- 1 uucp uucp 99340 Sep 25 19:01:45 2000 /usr/libexec/uucp/uuxqt < 213406 -r-sr-xr-x 1 root staff 21483 Sep 22 04:22:55 2000 /usr/local/bin/bing < 87456 -rwx--s--x 1 bin dialer 92308 Sep 22 06:55:37 2000 /usr/local/bin/yaps < 244895 -rwsr-xr-x 1 root wheel 15484 Sep 22 04:28:21 2000 /usr/local/sbin/queso < 465296 -rwsr-xr-x 1 root wheel 10344 Sep 22 03:53:52 2000 /usr/local/sbin/tmetric < 661312 -r-xr-sr-x 1 root kmem 4456 Sep 25 19:03:55 2000 /usr/sbin/ifmcstat < 661314 -r-xr-sr-x 1 root kmem 10116 Sep 25 19:03:55 2000 /usr/sbin/iostat < 661426 -r-xr-sr-x 1 root daemon 26784 Sep 25 19:04:14 2000 /usr/sbin/lpc < 661332 -r-sr-xr-x 1 root wheel 16136 Sep 25 19:03:58 2000 /usr/sbin/mrinfo < 661334 -r-sr-xr-x 1 root wheel 29752 Sep 25 19:03:58 2000 /usr/sbin/mtrace < 661469 -r-sr-xr-- 1 root network 283964 Sep 25 19:04:04 2000 /usr/sbin/ppp < 661470 -r-sr-xr-x 1 root wheel 96080 Sep 25 19:04:04 2000 /usr/sbin/pppd < 661368 -r-xr-sr-x 2 root kmem 14368 Sep 25 19:04:05 2000 /usr/sbin/pstat < 661390 -r-sr-x--- 1 root network 10776 Sep 25 19:04:07 2000 /usr/sbin/sliplogin < 661368 -r-xr-sr-x 2 root kmem 14368 Sep 25 19:04:05 2000 /usr/sbin/swapinfo < 661398 -r-sr-xr-x 1 root wheel 14900 Sep 25 19:04:11 2000 /usr/sbin/timedc < 661399 -r-sr-xr-x 1 root wheel 12924 Sep 25 19:04:11 2000 /usr/sbin/traceroute < 661400 -r-sr-xr-x 1 root bin 14776 Sep 25 19:04:11 2000 /usr/sbin/traceroute6 < 661401 -r-xr-sr-x 1 root kmem 7832 Sep 25 19:04:11 2000 /usr/sbin/trpt checking for uids of 0: root 0 toor 0 checking for passwordless accounts: bruiser.XXXX.com kernel log messages: > pid 166 (find), uid 0: exited on signal 10 (core dumped) > pid 167 (find), uid 0: exited on signal 10 (core dumped) > pid 190 (find), uid 0: exited on signal 10 (core dumped) > pid 262 (find), uid 0: exited on signal 10 (core dumped) > xl0: promiscuous mode enabled > xl0: promiscuous mode disabled > xl0: promiscuous mode enabled > xl0: promiscuous mode disabled > pid 423 (find), uid 0: exited on signal 10 (core dumped) > pid 424 (find), uid 0: exited on signal 10 (core dumped) > pid 439 (find), uid 0: exited on signal 10 (core dumped) > pid 450 (find), uid 0: exited on signal 10 (core dumped) > pid 1215 (find), uid 0: exited on signal 10 (core dumped) > pid 1216 (find), uid 0: exited on signal 10 (core dumped) > pid 1231 (find), uid 0: exited on signal 10 (core dumped) > pid 1286 (find), uid 0: exited on signal 10 (core dumped) > pid 1287 (find), uid 0: exited on signal 10 (core dumped) > pid 1302 (find), uid 0: exited on signal 10 (core dumped) > pid 1313 (find), uid 0: exited on signal 10 (core dumped) > pid 1343 (ftpd), uid 1000: exited on signal 10 > pid 1344 (ftpd), uid 1000: exited on signal 10 > pid 1682 (ftpd), uid 1000: exited on signal 10 > pid 1683 (ftpd), uid 1000: exited on signal 10 > pid 1734 (ftpd), uid 1000: exited on signal 10 > pid 1756 (ftpd), uid 1000: exited on signal 10 > pid 11078 (find), uid 0: exited on signal 10 (core dumped) > pid 11423 (find), uid 0: exited on signal 10 (core dumped) > pid 11456 (find), uid 0: exited on signal 10 (core dumped) > pid 11672 (find), uid 0: exited on signal 10 (core dumped) > pid 11674 (find), uid 0: exited on signal 10 (core dumped) > pid 11676 (find), uid 0: exited on signal 10 (core dumped) > pid 11678 (find), uid 0: exited on signal 10 (core dumped) bruiser.XXXX.com login failures: bruiser.XXXX.com refused connections: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message