Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Dec 2000 22:32:20 -0500 (EST)
From:      Jim Durham <durham@w2xo.pgh.pa.us>
To:        "Gerald T. Freymann" <freymann@eagle.ca>
Cc:        Jonathan Fosburgh <syjef@mail.mdanderson.org>, Questions <questions@FreeBSD.ORG>
Subject:   RE: Hacker history file - OUCH
Message-ID:  <Pine.BSF.4.21.0012182223400.80236-100000@shazam.int>
In-Reply-To: <NEBBIPHLEDGOAFACJGDDIECGDHAA.freymann@eagle.ca>

next in thread | previous in thread | raw e-mail | index | archive | help


On Mon, 18 Dec 2000, Gerald T. Freymann wrote:

> |O|> Do you know for sure it was an intruder?
> 
>  Had to be. All of this was done under the name of our backup software
> (amanda)
> 
> |O|> The results of the su ought to be in /var/log/messages.
> |O|> Especially the one to toor.  You should either see a success or failure
> message.
> 
>  Duh! Forgot about that. It only logs successful su's and there are none
> from anybody but staff since Nov 30th.
> 

Ah, but this guy (or gal) was root! root can change the /var/log/messages
file, so don't believe anything you see on a machine that has been
compromised that way.

One could always do a new installation of the basic binaries
on an old 486 or whatever and then NFS mount / and /usr and
compare them against your bin, sbin, etc. Use the tools on the
new machine, of course to do the compare!

-Jim Durham




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0012182223400.80236-100000>