From owner-freebsd-questions@FreeBSD.ORG  Sun Nov 23 15:06:16 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 119CB16A4CF
	for <freebsd-questions@freebsd.org>;
	Sun, 23 Nov 2003 15:06:16 -0800 (PST)
Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 08FB043F85
	for <freebsd-questions@freebsd.org>;
	Sun, 23 Nov 2003 15:06:14 -0800 (PST)
	(envelope-from freebsd-questions-local@be-well.ilk.org)
Received: from be-well.no-ip.com ([66.30.200.37])
          by comcast.net (sccrmhc12) with ESMTP
          id <200311232306130120033c3ie>; Sun, 23 Nov 2003 23:06:13 +0000
Received: by be-well.no-ip.com (Postfix, from userid 1147)
	id 63E2866; Sun, 23 Nov 2003 18:06:13 -0500 (EST)
Sender: lowell@be-well.ilk.org
To: freebsd-questions@freebsd.org
To: "Cordula's Web" <cpghost@cordula.ws>
References: <200311222258.hAMMwApd092388@fw.farid-hajji.net>
	<16320.5175.69241.145102@jerusalem.litteratus.org>
	<20031123103544.GD9494@happy-idiot-talk.infracaninophile.co.uk>
	<200311231701.hANH1ipd098716@fw.farid-hajji.net>
From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
Date: 23 Nov 2003 18:06:12 -0500
In-Reply-To: <200311231701.hANH1ipd098716@fw.farid-hajji.net>
Message-ID: <441xryznvf.fsf@be-well.ilk.org>
Lines: 17
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: Monitoring a file?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: freebsd-questions@freebsd.org
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Nov 2003 23:06:16 -0000

"Cordula's Web" <cpghost@cordula.ws> writes:

> I've finally found the culprit with a traditional method:
>   * md5 (binary from an uncompromised machine) on all files
>   * reinstalling from scratch (not buildworld, but really
>     installing from FTP)
>   * md5 again and diff.

[snip]

> Ugh... system clean again at last. :)

You can't be sure.  The attacker probably put an suid binary somewhere
besides the normal system binaries, in which case it's still there and
you may still be vulnerable.  When you know you've been hacked, you
need to wipe the disk and *really* reinstall from scratch.  And be
very careful about what you restore from backups, too.