From owner-freebsd-net Tue Dec 19 7:22:41 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 07:22:39 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from bilver.wjv.com (dhcp-1-118.n01.orldfl01.us.ra.verio.net [157.238.210.118]) by hub.freebsd.org (Postfix) with ESMTP id 9FA8037B402 for ; Tue, 19 Dec 2000 07:22:37 -0800 (PST) Received: (from bill@localhost) by bilver.wjv.com (8.9.3/8.9.3) id KAA22152 for freebsd-net@freebsd.org; Tue, 19 Dec 2000 10:22:32 -0500 (EST) (envelope-from bill) Date: Tue, 19 Dec 2000 10:22:23 -0500 From: Bill Vermillion To: freebsd-net@freebsd.org Subject: Re: Hacked computer Message-ID: <20001219102223.C21801@wjv.com> Reply-To: bv@bilver.wjv.com References: <3A3E5C33.793B5684@ocsinternet.com> <20001219100745.B21801@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001219100745.B21801@wjv.com>; from bill@bilver.wjv.com on Tue, Dec 19, 2000 at 10:07:45AM -0500 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 10:07:45AM -0500, Bill Vermillion thus spoke: > On Tue, Dec 19, 2000 at 03:24:15AM -0500, Mike Nowlin thus spoke: Damn - been one of those days. I looked at the sources to get Wietse's name spelled right, and copied out the source address but negelected to include that. Bad form to follow up your own message - the relevant part is below for reference. Here are the addresses for the source: http://www.fish.com/forensics/ http://www.porcupine.org/forensics/ > > With a bit of patience, it's amazing what will show up -- usually, > > the former contents of /var/log/* will show up as large chunks > > that are easily read... Turns out I found this guy's IP address > > and the time the system was blasted - a call to MCI resulted in a > > small amount of satisfaction... > > It's amazing what TCT - The Coroners Toolkit - will display. > 'lazurus' causes files to rise from the dead. Used ahead of > time you can run MD5 on the entire system so you can check > everything if you beleive you've been broken into. > > Dan Farmer and Wietse Venema wrote it. > > Bill > -- > Bill Vermillion - bv @ wjv . com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message