Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Apr 2004 10:23:50 -0400
From:      Clint Gilders <techservices@onlinehobbyist.com>
To:        Remko Lodder <remko@elvandar.org>, freebsd-questions@freebsd.org
Subject:   Re: have i been hacked?
Message-ID:  <407D4976.9030502@onlinehobbyist.com>
In-Reply-To: <407D4555.7040400@elvandar.org>
References:  <000001c421de$6c67ba10$0200a8c0@satellite> <407D4008.8080104@onlinehobbyist.com> <407D4555.7040400@elvandar.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

>> I had someone get into one of my machines when I stupidly left telnet 
>> running and an email from the system much like yours was what first 
>> alerted me to it.   The kiddie had installed a new ls which didn't 
>> allow any switches.  I imagine '-l' is needed for the suid check, so 
>> it fails and reports all the files as changing.   I ran chkrootkit and 
>> it turned up nothing.   The kiddie had also replaced several other 
>> programs (login and ps were among them) and turned off syslog.    I'm 
>> lucky to have several other systems, so i was able to copy over known 
>> original versions of the system tools that were changed and get the 
>> machine secured before moving all the accounts and reinstalling.
>>
> 
> Bad move, backup important data and reinstall your host, you cannot tell 
> which applications are affected or not (just spotted the obvious ones).
> 
> If you intend to keep it running, well thats a security incident imho.
> 
> Please consider it.

I think you misread my message.  Did "moving all the accounts and 
reinstalling"  imply that I didn't do a reinstall?  I simply copied over 
known original programs so I could make my backup and do some postmortem 
before reinstalling the system.   As you say, who knows what other 
program were changed.  I wanted to use known good binaries.

-- 
Clint Gilders <techservices@onlinehobbyist.com>
Director of Technology Services
OnlineHobbyist.com, Inc.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?407D4976.9030502>