Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Apr 2004 16:06:13 +0200
From:      Remko Lodder <remko@elvandar.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: have i been hacked?
Message-ID:  <407D4555.7040400@elvandar.org>
In-Reply-To: <407D4008.8080104@onlinehobbyist.com>
References:  <000001c421de$6c67ba10$0200a8c0@satellite> <407D4008.8080104@onlinehobbyist.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Clint Gilders wrote:
> dave wrote:
> 
>> Hello,
>>     Wondering if a system on my network has been hacked? At approx 12:30
>> this evening the hard disk went crazy, i have been out of town lately and
>> have not checked any of the machines, when i did the CPU usage was at 15%
>> which on this machine it never gets above 1 maybe 1.5. So i looked, and i
>> had nearly 150 processes on the box, 9 running. When i got the daily run
>> output i noticed the setuid files have changed. Wondering if this box got
>> hacked and if so where to look to confirm this? And if so, what to do?
>> Thanks.
>> Dave.
>>
>>
>> Checking setuid files and devices:
>> ls: Terminated
>> : No such file or directory
>>
>> guardian.davemehler.net setuid diffs:
>> 1,52d0
>> < 94240 -r-sr-xr-x  1 root  wheel     448384 Jun  4 21:54:47 2003 
>> /bin/rcp
>> < 117807 -r-sr-x---  1 root  operator  421832 Jun  4 21:55:39 2003
>> /sbin/mksnap_ffs
>> < 117826 -r-sr-xr-x  1 root  wheel     451668 Jun  4 21:55:43 2003
> 
> 
> I had someone get into one of my machines when I stupidly left telnet 
> running and an email from the system much like yours was what first 
> alerted me to it.   The kiddie had installed a new ls which didn't allow 
> any switches.  I imagine '-l' is needed for the suid check, so it fails 
> and reports all the files as changing.   I ran chkrootkit and it turned 
> up nothing.   The kiddie had also replaced several other programs (login 
> and ps were among them) and turned off syslog.    I'm lucky to have 
> several other systems, so i was able to copy over known original 
> versions of the system tools that were changed and get the machine 
> secured before moving all the accounts and reinstalling.
> 

Bad move, backup important data and reinstall your host, you cannot tell 
which applications are affected or not (just spotted the obvious ones).

If you intend to keep it running, well thats a security incident imho.

Please consider it.


-- 

Kind regards,

Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl A Dutch community for helping newcomers on the 
hackerscene



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?407D4555.7040400>