From owner-freebsd-questions@FreeBSD.ORG Wed Apr 14 06:43:46 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BAAE16A4CE for ; Wed, 14 Apr 2004 06:43:46 -0700 (PDT) Received: from simmts8-srv.bellnexxia.net (simmts8.bellnexxia.net [206.47.199.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8134B43D5C for ; Wed, 14 Apr 2004 06:43:45 -0700 (PDT) (envelope-from techservices@onlinehobbyist.com) Received: from freebie2.perlnerd.com ([65.94.55.17]) by simmts8-srv.bellnexxia.netESMTP <20040414134340.QOIG21833.simmts8-srv.bellnexxia.net@freebie2.perlnerd.com>; Wed, 14 Apr 2004 09:43:40 -0400 Received: from onlinehobbyist.com ([192.168.1.185])i3EEpD3s001459; Wed, 14 Apr 2004 10:51:17 -0400 (EDT) (envelope-from techservices@onlinehobbyist.com) Message-ID: <407D4008.8080104@onlinehobbyist.com> Date: Wed, 14 Apr 2004 09:43:36 -0400 From: Clint Gilders Organization: OnlineHobbyist.com, Inc. User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en, fr-ca, de, en-us MIME-Version: 1.0 To: dave , freebsd-questions@freebsd.org References: <000001c421de$6c67ba10$0200a8c0@satellite> In-Reply-To: <000001c421de$6c67ba10$0200a8c0@satellite> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: have i been hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 13:43:46 -0000 dave wrote: > Hello, > Wondering if a system on my network has been hacked? At approx 12:30 > this evening the hard disk went crazy, i have been out of town lately and > have not checked any of the machines, when i did the CPU usage was at 15% > which on this machine it never gets above 1 maybe 1.5. So i looked, and i > had nearly 150 processes on the box, 9 running. When i got the daily run > output i noticed the setuid files have changed. Wondering if this box got > hacked and if so where to look to confirm this? And if so, what to do? > Thanks. > Dave. > > > Checking setuid files and devices: > ls: Terminated > : No such file or directory > > guardian.davemehler.net setuid diffs: > 1,52d0 > < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp > < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003 > /sbin/mksnap_ffs > < 117826 -r-sr-xr-x 1 root wheel 451668 Jun 4 21:55:43 2003 I had someone get into one of my machines when I stupidly left telnet running and an email from the system much like yours was what first alerted me to it. The kiddie had installed a new ls which didn't allow any switches. I imagine '-l' is needed for the suid check, so it fails and reports all the files as changing. I ran chkrootkit and it turned up nothing. The kiddie had also replaced several other programs (login and ps were among them) and turned off syslog. I'm lucky to have several other systems, so i was able to copy over known original versions of the system tools that were changed and get the machine secured before moving all the accounts and reinstalling. -- Clint Gilders Director of Technology Services OnlineHobbyist.com, Inc.