Date: Wed, 14 Apr 2004 10:23:50 -0400 From: Clint Gilders <techservices@onlinehobbyist.com> To: Remko Lodder <remko@elvandar.org>, freebsd-questions@freebsd.org Subject: Re: have i been hacked? Message-ID: <407D4976.9030502@onlinehobbyist.com> In-Reply-To: <407D4555.7040400@elvandar.org> References: <000001c421de$6c67ba10$0200a8c0@satellite> <407D4008.8080104@onlinehobbyist.com> <407D4555.7040400@elvandar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>> I had someone get into one of my machines when I stupidly left telnet >> running and an email from the system much like yours was what first >> alerted me to it. The kiddie had installed a new ls which didn't >> allow any switches. I imagine '-l' is needed for the suid check, so >> it fails and reports all the files as changing. I ran chkrootkit and >> it turned up nothing. The kiddie had also replaced several other >> programs (login and ps were among them) and turned off syslog. I'm >> lucky to have several other systems, so i was able to copy over known >> original versions of the system tools that were changed and get the >> machine secured before moving all the accounts and reinstalling. >> > > Bad move, backup important data and reinstall your host, you cannot tell > which applications are affected or not (just spotted the obvious ones). > > If you intend to keep it running, well thats a security incident imho. > > Please consider it. I think you misread my message. Did "moving all the accounts and reinstalling" imply that I didn't do a reinstall? I simply copied over known original programs so I could make my backup and do some postmortem before reinstalling the system. As you say, who knows what other program were changed. I wanted to use known good binaries. -- Clint Gilders <techservices@onlinehobbyist.com> Director of Technology Services OnlineHobbyist.com, Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?407D4976.9030502>