From owner-freebsd-net Tue Dec 19 0:33:35 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 00:33:32 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from jason.argos.org (a13b063.neo.rr.com [204.210.197.63]) by hub.freebsd.org (Postfix) with ESMTP id A590737B400 for ; Tue, 19 Dec 2000 00:33:27 -0800 (PST) Received: from localhost (mike@localhost) by jason.argos.org (8.10.1/8.10.1) with ESMTP id eBJ8OFv10873; Tue, 19 Dec 2000 03:24:15 -0500 Date: Tue, 19 Dec 2000 03:24:15 -0500 (EST) From: Mike Nowlin To: mikel Cc: "Zaitsau, Andrei" , net@FreeBSD.ORG Subject: Re: Hacked computer In-Reply-To: <3A3E5C33.793B5684@ocsinternet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > If you've been rooted, then the logs are probably no good. But check you wtmp > for logons, and messages, and well if you don't see anything unusual there then > the've prabaly been wiped. Have regained root yet? personally I would pull the > box off net and backup theimportant config stuff, then blast it....but hey I > tend to be a bit of an extremist in these cases... A very helpful trick I did on a Linux box once that was rooted where Mr. Friendly did a "rm -fr /" to try to make my life as difficult as possible was: (after installing the erased drive on a new machine) strings /dev/hdc1 > keepme_hdc1 Due to the fact that "rm" really doesn't erase anything, the contents were still there - doing a "strings" on the raw partition will retrieve a lot. With a bit of patience, it's amazing what will show up -- usually, the former contents of /var/log/* will show up as large chunks that are easily read... Turns out I found this guy's IP address and the time the system was blasted - a call to MCI resulted in a small amount of satisfaction... --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message