Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Oct 2001 15:35:08 +0200 (CEST)
From:      Konrad Heuer <kheuer@gwdu60.gwdg.de>
To:        Tomek <tomek@mpionline.com>
Cc:        <freebsd-questions@FreeBSD.ORG>
Subject:   Re: I got hacked, I think
Message-ID:  <20011018152518.G37610-100000@gwdu60.gwdg.de>
In-Reply-To: <011e01c157cf$9b401700$f6f073d1@mpionline.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Thu, 18 Oct 2001, Tomek wrote:

> Hope I dont sound like a fool posting 2 seperate problems in the same
> day. But while looking for the first problem I found many unusual
> things. I will try to keep it to the point to not waste anyone's time. I
> appreciate ANY help.
>
> =3D=3D=3DWHAT I FOUND (quick snips)=3D=3D=3D
>
> (...)
>
> Is it normal for /var/log/security to be empty?

Yes, it may usually be empty.

> Is it normal to have lots of entries in setuid.today (ie: is it caused
> by general server activity)?

No; in normal operation, the files /var/log/setuid.today and
/var/log/setuid.today should not differ very much; the system
administrator should usually know when entries may change.

> Any suggestions of what logs/places I should check next to find out WHAT
> has been done to my system and what it was used for? (ie: a connection
> log to see when this hacker was connecting, if it exists).
> Any other help.

I suggest (used this by myself) to place some entries in /etc/hosts.allow
for ftp, telnet, ssh etc. which log any access; below you find an example
I used to log telnet requests (in reality, this is *one* line, not two
lines):

telnetd : ALL : spawn ( /bin/date >> /var/log/telnetd.log && /bin/echo
"telnet session request from %c" >> /var/log/telnetd.log ) : allow

Best regards
Konrad

Konrad Heuer                                    Personal Bookmarks:
Gesellschaft f=FCr wissenschaftliche
   Datenverarbeitung mbH G=D6ttingen              http://www.freebsd.org
Am Fa=DFberg, D-37077 G=D6ttingen                   http://www.daemonnews.o=
rg
Deutschland (Germany)

kheuer@gwdu60.gwdg.de


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011018152518.G37610-100000>