Date: Wed, 14 Apr 2004 02:33:39 -0700 (PDT) From: Dan Strick <strick@covad.net> To: dmehler26@woh.rr.com Cc: freebsd-questions@freebsd.org Subject: Re: have i been hacked? Message-ID: <200404140933.i3E9XdSE000461@mist.nodomain>
next in thread | raw e-mail | index | archive | help
>> > ... > When i got the daily run > output i noticed the setuid files have changed. Wondering if this box got > hacked and if so where to look to confirm this? > ... > > Checking setuid files and devices: > ls: Terminated > : No such file or directory > > guardian.davemehler.net setuid diffs: > 1,52d0 > < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp > ... >> The "ls" command the security script uses to discover all of the setuid files on your system failed for some unspecified reason and this caused the script to think that all the setuid files discovered during the previous run of this security script had gone away. The next time this script runs it may well report that these files have reappeared. This is probably not evidence that your system was hacked. Dan Strick strick@covad.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404140933.i3E9XdSE000461>