Date: Mon, 12 Feb 2001 04:35:56 -0600 From: "R . Munden" <orbitmaster@netorbit.com> To: freebsd-questions@freebsd.org Subject: Re: looks like the hackers found me Message-ID: <20010212043556.K2340@ripper> In-Reply-To: <20010212021417.A28413@mollari.cthul.hu>; from kris@obsecurity.org on Mon, Feb 12, 2001 at 04:14:17 -0600 References: <20010212075906.A2C1A9883@bruiser.netorbit.com> <20010212032222.I2340@ripper> <20010212021417.A28413@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2001.02.12 04:14:17 -0600 Kris Kennaway wrote: > On Mon, Feb 12, 2001 at 03:22:22AM -0600, R . Munden wrote: > > ..what do you think? I was having alot of problems with BIND earlier > > today and yesterday. > > What version of BIND are you running? If it's not a vulnerable one > (see Security Advisory 01:18), then I doubt it was this :-) It was a vulnerable version, I'm up to the new 8.x as of about three hours ago. What made me think it was a hacker was the fact that the pipe was filling up with UDP packets. I could have been named acting funky because of a bad disk. It's almost time for the work day to start here, I'll run and fsck after the morning phone calls have stopped. Any pointers on trouble shooting disk sub-system errors? > > > On 2001.02.12 01:59:06 -0600 Charlie Root wrote: > > checking setuid files and devices: > > Bus error - core dumped > > Bus error - core dumped > > Bus error - core dumped > > Bus error - core dumped > > cmp: EOF on /var/run/_secure.11658 > > Check /var/log/messages to see what was actually dumping core. The > find(1) job didn't complete, which is why the list below shows a whole > lot of files "disappearing" and not being replaced by anything > (i.e. the list of files it was comparing to was empty). ahhh, that helps (I thought it was saying they were the files that changed, and I guess that is what it is saying), looks like find is dumping core most recently and named did it earlier. > > > < 109319 -r-xr-sr-x 1 root operator 56964 Sep 25 19:01:23 2000 > /bin/df > > < 109332 -r-sr-xr-x 1 root wheel 319336 Sep 25 19:06:43 2000 > /bin/rcp > > < 54669 -r-xr-sr-x 1 root kmem 62800 Sep 25 19:02:38 2000 > > /sbin/ccdconfig > ... > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010212043556.K2340>