From owner-freebsd-questions Mon Feb 12 2:35:49 2001 Delivered-To: freebsd-questions@freebsd.org Received: from bruiser.netorbit.com (unknown [209.15.87.170]) by hub.freebsd.org (Postfix) with ESMTP id 70E2137B491 for ; Mon, 12 Feb 2001 02:35:45 -0800 (PST) Received: from 192.168.70.253 (unknown [192.168.70.52]) by bruiser.netorbit.com (Postfix) with SMTP id E4FE59883 for ; Mon, 12 Feb 2001 04:35:50 -0600 (CST) Date: Mon, 12 Feb 2001 04:35:56 -0600 From: "R . Munden" To: freebsd-questions@freebsd.org Subject: Re: looks like the hackers found me Message-ID: <20010212043556.K2340@ripper> References: <20010212075906.A2C1A9883@bruiser.netorbit.com> <20010212032222.I2340@ripper> <20010212021417.A28413@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit In-Reply-To: <20010212021417.A28413@mollari.cthul.hu>; from kris@obsecurity.org on Mon, Feb 12, 2001 at 04:14:17 -0600 X-Mailer: Balsa 1.0.0 Content-Length: 1735 Lines: 45 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 2001.02.12 04:14:17 -0600 Kris Kennaway wrote: > On Mon, Feb 12, 2001 at 03:22:22AM -0600, R . Munden wrote: > > ..what do you think? I was having alot of problems with BIND earlier > > today and yesterday. > > What version of BIND are you running? If it's not a vulnerable one > (see Security Advisory 01:18), then I doubt it was this :-) It was a vulnerable version, I'm up to the new 8.x as of about three hours ago. What made me think it was a hacker was the fact that the pipe was filling up with UDP packets. I could have been named acting funky because of a bad disk. It's almost time for the work day to start here, I'll run and fsck after the morning phone calls have stopped. Any pointers on trouble shooting disk sub-system errors? > > > On 2001.02.12 01:59:06 -0600 Charlie Root wrote: > > checking setuid files and devices: > > Bus error - core dumped > > Bus error - core dumped > > Bus error - core dumped > > Bus error - core dumped > > cmp: EOF on /var/run/_secure.11658 > > Check /var/log/messages to see what was actually dumping core. The > find(1) job didn't complete, which is why the list below shows a whole > lot of files "disappearing" and not being replaced by anything > (i.e. the list of files it was comparing to was empty). ahhh, that helps (I thought it was saying they were the files that changed, and I guess that is what it is saying), looks like find is dumping core most recently and named did it earlier. > > > < 109319 -r-xr-sr-x 1 root operator 56964 Sep 25 19:01:23 2000 > /bin/df > > < 109332 -r-sr-xr-x 1 root wheel 319336 Sep 25 19:06:43 2000 > /bin/rcp > > < 54669 -r-xr-sr-x 1 root kmem 62800 Sep 25 19:02:38 2000 > > /sbin/ccdconfig > ... > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message