From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 14 09:04:45 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 809A616A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 09:04:45 -0700 (PDT)
Received: from ms-smtp-02-eri0.ohiordc.rr.com
	(ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C138243D45
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 09:04:44 -0700 (PDT)
	(envelope-from dmehler26@woh.rr.com)
Received: from satellite (dhcp065-031-041-029.woh.rr.com [65.31.41.29])
	i3EG4gf4004893	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 12:04:42 -0400 (EDT)
Message-ID: <002301c42239$bb3ca2d0$0200a8c0@satellite>
From: "dave" <dmehler26@woh.rr.com>
To: "FreeBSD Questions" <freebsd-questions@freebsd.org>
References: <000001c421de$6c67ba10$0200a8c0@satellite>
	<20040414144409.F3F8.LUKEK@meibin.net>
	<BFBDD1B2-8E0A-11D8-9C6E-000A956D2452@chrononomicon.com>
Date: Wed, 14 Apr 2004 12:01:21 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Subject: Re: have i been hacked?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2004 16:04:45 -0000

Hello everyone,
    Ok, i am almost certain i've been hacked now. I just checked the system
for some strange accounts or things i didn't recognize. I didn't see
anything in /etc/passwd, /etc/group, /etc/master.passwd, and so forth. I
however ran chkrootkit and got two very disturbing errors, firstly it was
going along reporting items as uninfected, then when it hit sniffer, the
first of several files it died with the error:
"Abort Trap"
I'm going to take this machine down, back it all up, and do a reinstall.
Also, an nmap scan of the machine from another box showed no unidentified
open services.
    Keep the suggestions coming.
    Thanks.
Dave.