Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Apr 2004 00:31:43 -0500
From:      "Micheal Patterson" <micheal@tsgincorporated.com>
To:        "dave" <dmehler26@woh.rr.com>, <freebsd-questions@freebsd.org>
Subject:   Re: have i been hacked?
Message-ID:  <01a201c421e1$ca40a950$0201a8c0@dredster>
References:  <000001c421de$6c67ba10$0200a8c0@satellite>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

----- Original Message ----- 
From: "dave" <dmehler26@woh.rr.com>
To: <freebsd-questions@freebsd.org>
Sent: Tuesday, April 13, 2004 11:51 PM
Subject: have i been hacked?


> Hello,
>     Wondering if a system on my network has been hacked? At approx 12:30
> this evening the hard disk went crazy, i have been out of town lately and
> have not checked any of the machines, when i did the CPU usage was at 15%
> which on this machine it never gets above 1 maybe 1.5. So i looked, and i
> had nearly 150 processes on the box, 9 running. When i got the daily run
> output i noticed the setuid files have changed. Wondering if this box got
> hacked and if so where to look to confirm this? And if so, what to do?
> Thanks.
> Dave.
>
>
> Checking setuid files and devices:
> ls: Terminated
> : No such file or directory
>
> guardian.davemehler.net setuid diffs:
> 1,52d0
> < 94240 -r-sr-xr-x  1 root  wheel     448384 Jun  4 21:54:47 2003 /bin/rcp
> < 117807 -r-sr-x---  1 root  operator  421832 Jun  4 21:55:39 2003

Compared to my 4.9 systems, your rcp is nearly twice the size as it should
be.

-r-sr-xr-x  1 root  wheel  251444 Apr  9 12:05 rcp

You didn't say which version you were running but if it's a 4.x, then I'd
say you've got a serious issue here. If you're running 5.x then I can't say.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?01a201c421e1$ca40a950$0201a8c0>