Date: Wed, 14 Apr 2004 17:00:02 +0100 From: Dick Davies <rasputnik@hellooperator.net> To: Luke Kearney <lukek@meibin.net> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: have i been hacked? Message-ID: <20040414160002.GB9078@lb.tenfour> In-Reply-To: <20040414144409.F3F8.LUKEK@meibin.net> References: <000001c421de$6c67ba10$0200a8c0@satellite> <20040414144409.F3F8.LUKEK@meibin.net>
next in thread | previous in thread | raw e-mail | index | archive | help
* Luke Kearney <lukek@meibin.net> [0459 06:59]: > > On Wed, 14 Apr 2004 00:51:06 -0400 > "dave" <dmehler26@woh.rr.com> granted us these pearls of wisdom: > > > Hello, > > Wondering if a system on my network has been hacked? > > ls: Terminated > > : No such file or directory > > guardian.davemehler.net setuid diffs: > > 1,52d0 > > < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp > > < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003 > > /sbin/mksnap_ffs > > < 117826 -r-sr-xr-x 1 root wheel 451668 Jun 4 21:55:43 2003 > > /sbin/ping > > < 117827 -r-sr-xr-x 1 root wheel 463444 Jun 4 21:55:43 2003 > > /sbin/ping6 > My first suggestion is to have a look at what services are running that > shouldn't be. A hacked box is not much use to anyone if they cannot use > it. Try sockstat -4 and see if there are unusual ( unusual for this box ) > services running such as iirc related services. Take a look at your mail > logs and see if there is unusual mail traffic. If the box has been taken, you can't trust the binaries any more. > If the attacker is still logged in ( probably unlikely ) you might get a > hint from netstat -NA |grep ESTABLISHED -- Menu, n.: A list of dishes which the restaurant has just run out of. Rasputin :: Jack of All Trades - Master of Nuns
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040414160002.GB9078>