Site Navigation

Date:      Wed, 14 Apr 2004 14:47:18 +0900
From:      Luke Kearney <lukek@meibin.net>
To:        "dave" <dmehler26@woh.rr.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: have i been hacked?
Message-ID:  <20040414144409.F3F8.LUKEK@meibin.net>
In-Reply-To: <000001c421de$6c67ba10$0200a8c0@satellite>
References:  <000001c421de$6c67ba10$0200a8c0@satellite>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Wed, 14 Apr 2004 00:51:06 -0400
"dave" <dmehler26@woh.rr.com> granted us these pearls of wisdom:

> Hello,
>     Wondering if a system on my network has been hacked? At approx 12:30
> this evening the hard disk went crazy, i have been out of town lately and
> have not checked any of the machines, when i did the CPU usage was at 15%
> which on this machine it never gets above 1 maybe 1.5. So i looked, and i
> had nearly 150 processes on the box, 9 running. When i got the daily run
> output i noticed the setuid files have changed. Wondering if this box got
> hacked and if so where to look to confirm this? And if so, what to do?
> Thanks.
> Dave.
> 
> 
> Checking setuid files and devices:
> ls: Terminated
> : No such file or directory
> 
> guardian.davemehler.net setuid diffs:
> 1,52d0
> < 94240 -r-sr-xr-x  1 root  wheel     448384 Jun  4 21:54:47 2003 /bin/rcp
> < 117807 -r-sr-x---  1 root  operator  421832 Jun  4 21:55:39 2003
> /sbin/mksnap_ffs
> < 117826 -r-sr-xr-x  1 root  wheel     451668 Jun  4 21:55:43 2003
> /sbin/ping
> < 117827 -r-sr-xr-x  1 root  wheel     463444 Jun  4 21:55:43 2003
> /sbin/ping6
> < 117839 -r-sr-x---  1 root  operator  431052 Jun  4 21:55:46 2003
> /sbin/shutdown
> < 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
> /usr/bin/at
> < 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
> /usr/bin/atq
> < 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
> /usr/bin/atrm
> < 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
> /usr/bin/batch
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/chfn
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/chpass
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/chsh
> < 94553 -r-sr-xr-x  1 root  wheel    27072 Jun  4 21:56:56 2003
> /usr/bin/crontab
> < 94384 -r-xr-sr-x  1 root  kmem       15416 Jun  4 21:56:35 2003
> /usr/bin/fstat
> < 94419 -r-sr-xr-x  1 root  wheel       7804 Jun  4 21:56:39 2003
> /usr/bin/lock
> < 94422 -r-sr-xr-x  1 root  wheel      18944 Jun  4 21:56:39 2003
> /usr/bin/login
> < 94560 -r-sr-sr-x  1 root  daemon   25344 Jun  4 21:57:13 2003
> /usr/bin/lpq.bak
> < 94561 -r-sr-sr-x  1 root  daemon   29216 Jun  4 21:57:14 2003
> /usr/bin/lpr.bak
> < 94562 -r-sr-sr-x  1 root  daemon   24108 Jun  4 21:57:14 2003
> /usr/bin/lprm.bak
> < 94441 -r-xr-sr-x  1 root  kmem      100776 Jun  4 21:56:41 2003
> /usr/bin/netstat
> < 94448 -r-sr-xr-x  1 root  wheel       4452 Jun  4 21:56:41 2003
> /usr/bin/opieinfo
> < 94450 -r-sr-xr-x  1 root  wheel    11612 Jun  4 21:56:42 2003
> /usr/bin/opiepasswd
> < 94452 -r-sr-xr-x  2 root  wheel     5920 Jun  4 21:56:42 2003
> /usr/bin/passwd
> < 94458 -r-sr-xr-x  1 root  wheel    11584 Jun  4 21:56:42 2003
> /usr/bin/quota
> < 94461 -r-sr-xr-x  1 root  wheel    11008 Jun  4 21:56:42 2003
> /usr/bin/rlogin
> < 94465 -r-sr-xr-x  1 root  wheel     8564 Jun  4 21:56:43 2003 /usr/bin/rsh
> < 94478 -r-sr-xr-x  1 root  wheel    12308 Jun  4 21:56:44 2003 /usr/bin/su
> < 94517 -r-xr-sr-x  1 root  kmem     15532 Jun  4 21:56:48 2003
> /usr/bin/vmstat
> < 94519 -r-xr-sr-x  1 root  tty      10516 Jun  4 21:56:48 2003
> /usr/bin/wall
> < 94527 -r-xr-sr-x  1 root  tty       8100 Jun  4 21:56:49 2003
> /usr/bin/write
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/ypchfn
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/ypchpass
> < 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
> /usr/bin/ypchsh
> < 94452 -r-sr-xr-x  2 root  wheel     5920 Jun  4 21:56:42 2003
> /usr/bin/yppasswd
> < 96169 -r-sr-xr-x  1 root  wheel     3540 Jun  4 21:55:29 2003
> /usr/libexec/pt_chown
> < 96150 -r-xr-sr-x  1 root  smmsp   629176 Jun  4 21:57:15 2003
> /usr/libexec/sendmail/sendmail
> < 108075 -rwsr-xr-x  1 root  daemon    8624 Dec 21 18:00:36 2003
> /usr/local/bin/lppasswd
> < 73521 -rwsr-xr-x  1 root  wheel   285508 May 23 09:27:21 2003
> /usr/local/bin/screen
> < 72487 -rws--x--x  1 root  wheel   741976 May 23 11:00:24 2003
> /usr/local/bin/sperl5.6.1
> < 78399 ---s--x--x  1 root  wheel    86484 May 23 11:56:11 2003
> /usr/local/bin/sudo
> < 77227 -rwxr-sr-x  1 root  maildrop  108333 Aug 25 02:17:22 2003
> /usr/local/sbin/postdrop
> < 77253 -rwxr-sr-x  1 root  maildrop   97362 Aug 25 02:17:23 2003
> /usr/local/sbin/postqueue
> < 96371 -r-xr-sr-x  1 root  daemon     45704 Jun  4 21:57:13 2003
> /usr/sbin/lpc
> < 96274 -r-sr-xr-x  1 root  wheel      22448 Jun  4 21:57:00 2003
> /usr/sbin/mrinfo
> < 96276 -r-sr-xr-x  1 root  wheel      31956 Jun  4 21:57:00 2003
> /usr/sbin/mtrace
> < 96418 -r-sr-xr--  1 root  network   367336 Jun  4 21:57:04 2003
> /usr/sbin/ppp
> < 96419 -r-sr-x---  1 root  dialer    106692 Jun  4 21:57:05 2003
> /usr/sbin/pppd
> < 96328 -r-sr-x---  1 root  network    14516 Jun  4 21:57:07 2003
> /usr/sbin/sliplogin
> < 96337 -r-sr-xr-x  1 root  wheel      16288 Jun  4 21:57:09 2003
> /usr/sbin/timedc
> < 96338 -r-sr-xr-x  1 root  wheel      23392 Jun  4 21:57:09 2003
> /usr/sbin/traceroute
> < 96339 -r-sr-xr-x  1 root  wheel      16788 Jun  4 21:57:09 2003
> /usr/sbin/traceroute6
> < 96340 -r-xr-sr-x  1 root  kmem        8512 Jun  4 21:57:09 2003
> /usr/sbin/trpt
> mv: rename /var/log/setuid.today to /var/log/setuid.yesterday: No such file
> or directory
> 
> Checking for uids of 0:
> root 0
> toor 0
> 
> Checking for passwordless accounts:
> 
> guardian.davemehler.net login failures:
> 
> guardian.davemehler.net refused connections:
> 
> -- End of security output --

Hi,
My first suggestion is to have a look at what services are running that
shouldn't be. A hacked box is not much use to anyone if they cannot use
it.  Try sockstat -4 and see if there are unusual ( unusual for this box )
services running such as iirc related services. Take a look at your mail
logs and see if there is unusual mail traffic.

If the attacker is still logged in ( probably unlikely ) you might get a
hint from netstat -NA |grep ESTABLISHED 

HTH

LukeK

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040414144409.F3F8.LUKEK>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact