From owner-freebsd-questions Thu Oct 18 6:42:26 2001 Delivered-To: freebsd-questions@freebsd.org Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.98.60]) by hub.freebsd.org (Postfix) with ESMTP id EAA5737B407 for ; Thu, 18 Oct 2001 06:42:20 -0700 (PDT) Received: from localhost (kheuer@localhost) by gwdu60.gwdg.de (8.11.3/8.9.3) with ESMTP id f9IDgIO37703; Thu, 18 Oct 2001 15:42:18 +0200 (CEST) (envelope-from kheuer@gwdu60.gwdg.de) Date: Thu, 18 Oct 2001 15:42:18 +0200 (CEST) From: Konrad Heuer To: Tomek Cc: Subject: Re: I got hacked, I think In-Reply-To: <20011018152518.G37610-100000@gwdu60.gwdg.de> Message-ID: <20011018153844.X37678-100000@gwdu60.gwdg.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 18 Oct 2001, Konrad Heuer wrote: > On Thu, 18 Oct 2001, Tomek wrote: > > > Hope I dont sound like a fool posting 2 seperate problems in the same > > day. But while looking for the first problem I found many unusual > > things. I will try to keep it to the point to not waste anyone's time. = I > > appreciate ANY help. > > > > =3D=3D=3DWHAT I FOUND (quick snips)=3D=3D=3D > > > > (...) > > > > Is it normal for /var/log/security to be empty? > > Yes, it may usually be empty. > > > Is it normal to have lots of entries in setuid.today (ie: is it caused > > by general server activity)? > > No; in normal operation, the files /var/log/setuid.today and > /var/log/setuid.today should not differ very much; the system > administrator should usually know when entries may change. > > > Any suggestions of what logs/places I should check next to find out WHA= T > > has been done to my system and what it was used for? (ie: a connection > > log to see when this hacker was connecting, if it exists). > > Any other help. > > I suggest (used this by myself) to place some entries in /etc/hosts.allow > for ftp, telnet, ssh etc. which log any access; below you find an example > I used to log telnet requests (in reality, this is *one* line, not two > lines): > > telnetd : ALL : spawn ( /bin/date >> /var/log/telnetd.log && /bin/echo > "telnet session request from %c" >> /var/log/telnetd.log ) : allow > I forgot to mention in my first reply that I'd put the system into secure mode and set the system append-only flag for telnetd.log etc: chflags sappnd /var/log/telnetd.log sysctl -w kern.securelevel=3D2 This will prevent any intruder from eliminating his/her activity in /var/log/telnetd.log. Best regards Konrad Konrad Heuer Personal Bookmarks: Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=D6ttingen http://www.freebsd.org Am Fa=DFberg, D-37077 G=D6ttingen http://www.daemonnews.o= rg Deutschland (Germany) kheuer@gwdu60.gwdg.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message