Date: Tue, 13 Apr 2004 23:18:35 -0700 From: Kris Kennaway <kris@obsecurity.org> To: dave <dmehler26@woh.rr.com> Cc: freebsd-questions@freebsd.org Subject: Re: have i been hacked? Message-ID: <20040414061835.GA45027@xor.obsecurity.org> In-Reply-To: <000001c421de$6c67ba10$0200a8c0@satellite> References: <000001c421de$6c67ba10$0200a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
--EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Apr 14, 2004 at 12:51:06AM -0400, dave wrote: > Hello, > Wondering if a system on my network has been hacked? At approx 12:30 > this evening the hard disk went crazy, i have been out of town lately and > have not checked any of the machines, when i did the CPU usage was at 15% > which on this machine it never gets above 1 maybe 1.5. So i looked, and i > had nearly 150 processes on the box, 9 running. When i got the daily run > output i noticed the setuid files have changed. Wondering if this box got > hacked and if so where to look to confirm this? And if so, what to do? > Thanks. > Dave. This is what you'd expect if someone did a 'make world' on that box - are you sure there were no other admins online who might have rebuilt or updated it? If so, then something stranger is going on. Kris --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAfNe7Wry0BWjoQKURAjoFAJ9KtyrvZBYsr5/qwTaL+TuQKPw5AQCfTTNw LT3HKq/7roVBW8jTSbYvJnU= =TMnZ -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040414061835.GA45027>