From owner-freebsd-net  Tue Dec 19  7: 8:34 2000
From owner-freebsd-net@FreeBSD.ORG  Tue Dec 19 07:08:32 2000
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from bilver.wjv.com (dhcp-1-184.n01.orldfl01.us.ra.verio.net [157.238.210.184])
	by hub.freebsd.org (Postfix) with ESMTP id 2683037B400
	for <freebsd-net@freebsd.org>; Tue, 19 Dec 2000 07:08:31 -0800 (PST)
Received: (from bill@localhost)
	by bilver.wjv.com (8.9.3/8.9.3) id KAA22080
	for freebsd-net@freebsd.org; Tue, 19 Dec 2000 10:08:29 -0500 (EST)
	(envelope-from bill)
Date: Tue, 19 Dec 2000 10:07:45 -0500
From: Bill Vermillion <bill@bilver.wjv.com>
To: freebsd-net@freebsd.org
Subject: Re: Hacked computer
Message-ID: <20001219100745.B21801@wjv.com>
Reply-To: bv@bilver.wjv.com
References: <3A3E5C33.793B5684@ocsinternet.com> <Pine.LNX.4.21.0012190316450.10640-100000@jason.argos.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.LNX.4.21.0012190316450.10640-100000@jason.argos.org>; from mike@argos.org on Tue, Dec 19, 2000 at 03:24:15AM -0500
Organization: W.J.Vermillion / Orlando - Winter Park
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Dec 19, 2000 at 03:24:15AM -0500, Mike Nowlin thus spoke:

> > If you've been rooted, then the logs are probably no good. But
> > check you wtmp for logons, and messages, and well if you don't
> > see anything unusual there then the've prabaly been wiped. Have
> > regained root yet?  ...

...

> Due to the fact that "rm" really doesn't erase anything, the
> contents were still there - doing a "strings" on the raw partition
> will retrieve a lot.

> With a bit of patience, it's amazing what will show up -- usually,
> the former contents of /var/log/* will show up as large chunks
> that are easily read... Turns out I found this guy's IP address
> and the time the system was blasted - a call to MCI resulted in a
> small amount of satisfaction...

It's amazing what TCT - The Coroners Toolkit - will display.  
'lazurus' causes files to rise from the dead.  Used ahead of
time you can run MD5 on the entire system so you can check
everything if you beleive you've been broken into.

Dan Farmer and Wietse Venema wrote it. 

Bill
-- 
Bill Vermillion -   bv @ wjv . com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message