From owner-freebsd-questions Mon Dec 18 19:32:47 2000 From owner-freebsd-questions@FreeBSD.ORG Mon Dec 18 19:32:45 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from w2xo.pgh.pa.us (ipl-229-034.npt-sdsl.stargate.net [208.223.229.34]) by hub.freebsd.org (Postfix) with ESMTP id 4BE7337B400 for ; Mon, 18 Dec 2000 19:32:44 -0800 (PST) Received: from shazam.int (shazam.int [192.168.5.3]) by w2xo.pgh.pa.us (8.9.3/8.9.3) with ESMTP id DAA60029; Tue, 19 Dec 2000 03:32:13 GMT (envelope-from durham@w2xo.pgh.pa.us) Date: Mon, 18 Dec 2000 22:32:20 -0500 (EST) From: Jim Durham X-Sender: durham@shazam.int To: "Gerald T. Freymann" Cc: Jonathan Fosburgh , Questions Subject: RE: Hacker history file - OUCH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 18 Dec 2000, Gerald T. Freymann wrote: > |O|> Do you know for sure it was an intruder? > > Had to be. All of this was done under the name of our backup software > (amanda) > > |O|> The results of the su ought to be in /var/log/messages. > |O|> Especially the one to toor. You should either see a success or failure > message. > > Duh! Forgot about that. It only logs successful su's and there are none > from anybody but staff since Nov 30th. > Ah, but this guy (or gal) was root! root can change the /var/log/messages file, so don't believe anything you see on a machine that has been compromised that way. One could always do a new installation of the basic binaries on an old 486 or whatever and then NFS mount / and /usr and compare them against your bin, sbin, etc. Use the tools on the new machine, of course to do the compare! -Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message