Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Apr 2004 09:43:36 -0400
From:      Clint Gilders <>
To:        dave <>,
Subject:   Re: have i been hacked?
Message-ID:  <>
In-Reply-To: <000001c421de$6c67ba10$0200a8c0@satellite>
References:  <000001c421de$6c67ba10$0200a8c0@satellite>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
dave wrote:
> Hello,
>     Wondering if a system on my network has been hacked? At approx 12:30
> this evening the hard disk went crazy, i have been out of town lately and
> have not checked any of the machines, when i did the CPU usage was at 15%
> which on this machine it never gets above 1 maybe 1.5. So i looked, and i
> had nearly 150 processes on the box, 9 running. When i got the daily run
> output i noticed the setuid files have changed. Wondering if this box got
> hacked and if so where to look to confirm this? And if so, what to do?
> Thanks.
> Dave.
> Checking setuid files and devices:
> ls: Terminated
> : No such file or directory
> setuid diffs:
> 1,52d0
> < 94240 -r-sr-xr-x  1 root  wheel     448384 Jun  4 21:54:47 2003 /bin/rcp
> < 117807 -r-sr-x---  1 root  operator  421832 Jun  4 21:55:39 2003
> /sbin/mksnap_ffs
> < 117826 -r-sr-xr-x  1 root  wheel     451668 Jun  4 21:55:43 2003

I had someone get into one of my machines when I stupidly left telnet 
running and an email from the system much like yours was what first 
alerted me to it.   The kiddie had installed a new ls which didn't allow 
any switches.  I imagine '-l' is needed for the suid check, so it fails 
and reports all the files as changing.   I ran chkrootkit and it turned 
up nothing.   The kiddie had also replaced several other programs (login 
and ps were among them) and turned off syslog.    I'm lucky to have 
several other systems, so i was able to copy over known original 
versions of the system tools that were changed and get the machine 
secured before moving all the accounts and reinstalling.

Clint Gilders <>
Director of Technology Services, Inc.

Want to link to this message? Use this URL: <>