Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 13 Apr 2004 23:18:35 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        dave <dmehler26@woh.rr.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: have i been hacked?
Message-ID:  <20040414061835.GA45027@xor.obsecurity.org>
In-Reply-To: <000001c421de$6c67ba10$0200a8c0@satellite>
References:  <000001c421de$6c67ba10$0200a8c0@satellite>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Apr 14, 2004 at 12:51:06AM -0400, dave wrote:
> Hello,
>     Wondering if a system on my network has been hacked? At approx 12:30
> this evening the hard disk went crazy, i have been out of town lately and
> have not checked any of the machines, when i did the CPU usage was at 15%
> which on this machine it never gets above 1 maybe 1.5. So i looked, and i
> had nearly 150 processes on the box, 9 running. When i got the daily run
> output i noticed the setuid files have changed. Wondering if this box got
> hacked and if so where to look to confirm this? And if so, what to do?
> Thanks.
> Dave.

This is what you'd expect if someone did a 'make world' on that box -
are you sure there were no other admins online who might have rebuilt
or updated it?  If so, then something stranger is going on.

Kris

--EVF5PPMfhYS0aIcm
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAfNe7Wry0BWjoQKURAjoFAJ9KtyrvZBYsr5/qwTaL+TuQKPw5AQCfTTNw
LT3HKq/7roVBW8jTSbYvJnU=
=TMnZ
-----END PGP SIGNATURE-----

--EVF5PPMfhYS0aIcm--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20040414061835.GA45027>