From owner-freebsd-questions@FreeBSD.ORG Tue Apr 13 23:18:38 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CF6116A4CF for ; Tue, 13 Apr 2004 23:18:38 -0700 (PDT) Received: from mtaw4.prodigy.net (mtaw4.prodigy.net [64.164.98.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04F2743D73 for ; Tue, 13 Apr 2004 23:18:37 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (7e5b8f1a234d3c006016ecf0b78f82fc@adsl-67-115-73-128.dsl.lsan03.pacbell.net [67.115.73.128]) by mtaw4.prodigy.net (8.12.10/8.12.10) with ESMTP id i3E6IZ5k021564; Tue, 13 Apr 2004 23:18:36 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E8EE352346; Tue, 13 Apr 2004 23:18:35 -0700 (PDT) Date: Tue, 13 Apr 2004 23:18:35 -0700 From: Kris Kennaway To: dave Message-ID: <20040414061835.GA45027@xor.obsecurity.org> References: <000001c421de$6c67ba10$0200a8c0@satellite> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline In-Reply-To: <000001c421de$6c67ba10$0200a8c0@satellite> User-Agent: Mutt/1.4.2.1i cc: freebsd-questions@freebsd.org Subject: Re: have i been hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 06:18:38 -0000 --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Apr 14, 2004 at 12:51:06AM -0400, dave wrote: > Hello, > Wondering if a system on my network has been hacked? At approx 12:30 > this evening the hard disk went crazy, i have been out of town lately and > have not checked any of the machines, when i did the CPU usage was at 15% > which on this machine it never gets above 1 maybe 1.5. So i looked, and i > had nearly 150 processes on the box, 9 running. When i got the daily run > output i noticed the setuid files have changed. Wondering if this box got > hacked and if so where to look to confirm this? And if so, what to do? > Thanks. > Dave. This is what you'd expect if someone did a 'make world' on that box - are you sure there were no other admins online who might have rebuilt or updated it? If so, then something stranger is going on. Kris --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAfNe7Wry0BWjoQKURAjoFAJ9KtyrvZBYsr5/qwTaL+TuQKPw5AQCfTTNw LT3HKq/7roVBW8jTSbYvJnU= =TMnZ -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm--