From owner-freebsd-questions@FreeBSD.ORG Wed Apr 14 02:48:52 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FB0916A4CE for ; Wed, 14 Apr 2004 02:48:52 -0700 (PDT) Received: from mail.elvandar.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A1AE43D39 for ; Wed, 14 Apr 2004 02:48:51 -0700 (PDT) (envelope-from remko@elvandar.org) Message-ID: <407D08FD.1080708@elvandar.org> Date: Wed, 14 Apr 2004 11:48:45 +0200 From: Remko Lodder X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <200404140933.i3E9XdSE000461@mist.nodomain> In-Reply-To: <200404140933.i3E9XdSE000461@mist.nodomain> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at elvandar.org Subject: Re: have i been hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 09:48:52 -0000 Dan Strick wrote: >> ... >>When i got the daily run >>output i noticed the setuid files have changed. Wondering if this box got >>hacked and if so where to look to confirm this? >> ... >> >> Checking setuid files and devices: >> ls: Terminated >> : No such file or directory >> >> guardian.davemehler.net setuid diffs: >> 1,52d0 >> < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp >> ... >> > > The "ls" command the security script uses to discover all of the setuid > files on your system failed for some unspecified reason and this caused the > script to think that all the setuid files discovered during the previous > run of this security script had gone away. The next time this script > runs it may well report that these files have reappeared. > > This is probably not evidence that your system was hacked. Then what does it tell you that happened? When a file appears that is rather strange, also notice the size of /bin/rcp which differs from: aragorn# ls -l /bin/rcp -r-sr-xr-x 1 root wheel 18392 Feb 23 20:41 /bin/rcp (notice the size!, someone mentioned that already on the list..) So obviously something weird happened. I dont do the assumption that you are not hacked, lets assume you are hacked. Take out the harddisk and make a backup of it. Then seal the original disk so that you cannot mess that one up. Do some forensics on the backupped harddisk (not the original!) For example install chrootkit, to see whether it has a rootkit installed, check if you mis anything else. Are there files that you did not notice before? What network connections are being made when the host reboots. etc. etc. I Certainly think that it's really weird that a file increased that much in size (while my 5.2.1-p4 systems are up2date). I also think that the file the security output misses, is strange, i assume that this isn't the first day the host is running. Hope this helps a bit, Also note that this is my consideration, and may or may not be backupped by other persons ;-) > > Dan Strick > strick@covad.net -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl A Dutch community for helping newcomers on the hackerscene