Date: Thu, 18 Oct 2001 15:35:08 +0200 (CEST) From: Konrad Heuer <kheuer@gwdu60.gwdg.de> To: Tomek <tomek@mpionline.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: I got hacked, I think Message-ID: <20011018152518.G37610-100000@gwdu60.gwdg.de> In-Reply-To: <011e01c157cf$9b401700$f6f073d1@mpionline.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 18 Oct 2001, Tomek wrote: > Hope I dont sound like a fool posting 2 seperate problems in the same > day. But while looking for the first problem I found many unusual > things. I will try to keep it to the point to not waste anyone's time. I > appreciate ANY help. > > =3D=3D=3DWHAT I FOUND (quick snips)=3D=3D=3D > > (...) > > Is it normal for /var/log/security to be empty? Yes, it may usually be empty. > Is it normal to have lots of entries in setuid.today (ie: is it caused > by general server activity)? No; in normal operation, the files /var/log/setuid.today and /var/log/setuid.today should not differ very much; the system administrator should usually know when entries may change. > Any suggestions of what logs/places I should check next to find out WHAT > has been done to my system and what it was used for? (ie: a connection > log to see when this hacker was connecting, if it exists). > Any other help. I suggest (used this by myself) to place some entries in /etc/hosts.allow for ftp, telnet, ssh etc. which log any access; below you find an example I used to log telnet requests (in reality, this is *one* line, not two lines): telnetd : ALL : spawn ( /bin/date >> /var/log/telnetd.log && /bin/echo "telnet session request from %c" >> /var/log/telnetd.log ) : allow Best regards Konrad Konrad Heuer Personal Bookmarks: Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=D6ttingen http://www.freebsd.org Am Fa=DFberg, D-37077 G=D6ttingen http://www.daemonnews.o= rg Deutschland (Germany) kheuer@gwdu60.gwdg.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011018152518.G37610-100000>