From owner-freebsd-questions@FreeBSD.ORG Wed Apr 14 07:23:52 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A94B316A4CE for ; Wed, 14 Apr 2004 07:23:52 -0700 (PDT) Received: from simmts8-srv.bellnexxia.net (simmts8.bellnexxia.net [206.47.199.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53A3243D5A for ; Wed, 14 Apr 2004 07:23:52 -0700 (PDT) (envelope-from techservices@onlinehobbyist.com) Received: from freebie2.perlnerd.com ([65.94.55.17]) by simmts8-srv.bellnexxia.netESMTP <20040414142350.TFOE21833.simmts8-srv.bellnexxia.net@freebie2.perlnerd.com>; Wed, 14 Apr 2004 10:23:50 -0400 Received: from onlinehobbyist.com ([192.168.1.185])i3EFVRUa001492; Wed, 14 Apr 2004 11:31:27 -0400 (EDT) (envelope-from techservices@onlinehobbyist.com) Message-ID: <407D4976.9030502@onlinehobbyist.com> Date: Wed, 14 Apr 2004 10:23:50 -0400 From: Clint Gilders Organization: OnlineHobbyist.com, Inc. User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en, fr-ca, de, en-us MIME-Version: 1.0 To: Remko Lodder , freebsd-questions@freebsd.org References: <000001c421de$6c67ba10$0200a8c0@satellite> <407D4008.8080104@onlinehobbyist.com> <407D4555.7040400@elvandar.org> In-Reply-To: <407D4555.7040400@elvandar.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: have i been hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 14:23:52 -0000 >> I had someone get into one of my machines when I stupidly left telnet >> running and an email from the system much like yours was what first >> alerted me to it. The kiddie had installed a new ls which didn't >> allow any switches. I imagine '-l' is needed for the suid check, so >> it fails and reports all the files as changing. I ran chkrootkit and >> it turned up nothing. The kiddie had also replaced several other >> programs (login and ps were among them) and turned off syslog. I'm >> lucky to have several other systems, so i was able to copy over known >> original versions of the system tools that were changed and get the >> machine secured before moving all the accounts and reinstalling. >> > > Bad move, backup important data and reinstall your host, you cannot tell > which applications are affected or not (just spotted the obvious ones). > > If you intend to keep it running, well thats a security incident imho. > > Please consider it. I think you misread my message. Did "moving all the accounts and reinstalling" imply that I didn't do a reinstall? I simply copied over known original programs so I could make my backup and do some postmortem before reinstalling the system. As you say, who knows what other program were changed. I wanted to use known good binaries. -- Clint Gilders Director of Technology Services OnlineHobbyist.com, Inc.