From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 13 22:11:06 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7020E16A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Apr 2004 22:11:06 -0700 (PDT)
Received: from ms-smtp-02-eri0.ohiordc.rr.com
	(ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9228943D58
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Apr 2004 22:11:05 -0700 (PDT)
	(envelope-from dmehler26@woh.rr.com)
Received: from satellite (dhcp065-031-041-029.woh.rr.com [65.31.41.29])
	i3E5B3f4027019	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 01:11:03 -0400 (EDT)
Message-ID: <000001c421de$6c67ba10$0200a8c0@satellite>
From: "dave" <dmehler26@woh.rr.com>
To: <freebsd-questions@freebsd.org>
Date: Wed, 14 Apr 2004 00:51:06 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Subject: have i been hacked?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2004 05:11:06 -0000

Hello,
    Wondering if a system on my network has been hacked? At approx 12:30
this evening the hard disk went crazy, i have been out of town lately and
have not checked any of the machines, when i did the CPU usage was at 15%
which on this machine it never gets above 1 maybe 1.5. So i looked, and i
had nearly 150 processes on the box, 9 running. When i got the daily run
output i noticed the setuid files have changed. Wondering if this box got
hacked and if so where to look to confirm this? And if so, what to do?
Thanks.
Dave.


Checking setuid files and devices:
ls: Terminated
: No such file or directory

guardian.davemehler.net setuid diffs:
1,52d0
< 94240 -r-sr-xr-x  1 root  wheel     448384 Jun  4 21:54:47 2003 /bin/rcp
< 117807 -r-sr-x---  1 root  operator  421832 Jun  4 21:55:39 2003
/sbin/mksnap_ffs
< 117826 -r-sr-xr-x  1 root  wheel     451668 Jun  4 21:55:43 2003
/sbin/ping
< 117827 -r-sr-xr-x  1 root  wheel     463444 Jun  4 21:55:43 2003
/sbin/ping6
< 117839 -r-sr-x---  1 root  operator  431052 Jun  4 21:55:46 2003
/sbin/shutdown
< 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
/usr/bin/at
< 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
/usr/bin/atq
< 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
/usr/bin/atrm
< 94338 -r-sr-xr-x  4 root  wheel      21608 Jun  4 21:56:31 2003
/usr/bin/batch
< 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
/usr/bin/chfn
< 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
/usr/bin/chpass
< 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
/usr/bin/chsh
< 94553 -r-sr-xr-x  1 root  wheel    27072 Jun  4 21:56:56 2003
/usr/bin/crontab
< 94384 -r-xr-sr-x  1 root  kmem       15416 Jun  4 21:56:35 2003
/usr/bin/fstat
< 94419 -r-sr-xr-x  1 root  wheel       7804 Jun  4 21:56:39 2003
/usr/bin/lock
< 94422 -r-sr-xr-x  1 root  wheel      18944 Jun  4 21:56:39 2003
/usr/bin/login
< 94560 -r-sr-sr-x  1 root  daemon   25344 Jun  4 21:57:13 2003
/usr/bin/lpq.bak
< 94561 -r-sr-sr-x  1 root  daemon   29216 Jun  4 21:57:14 2003
/usr/bin/lpr.bak
< 94562 -r-sr-sr-x  1 root  daemon   24108 Jun  4 21:57:14 2003
/usr/bin/lprm.bak
< 94441 -r-xr-sr-x  1 root  kmem      100776 Jun  4 21:56:41 2003
/usr/bin/netstat
< 94448 -r-sr-xr-x  1 root  wheel       4452 Jun  4 21:56:41 2003
/usr/bin/opieinfo
< 94450 -r-sr-xr-x  1 root  wheel    11612 Jun  4 21:56:42 2003
/usr/bin/opiepasswd
< 94452 -r-sr-xr-x  2 root  wheel     5920 Jun  4 21:56:42 2003
/usr/bin/passwd
< 94458 -r-sr-xr-x  1 root  wheel    11584 Jun  4 21:56:42 2003
/usr/bin/quota
< 94461 -r-sr-xr-x  1 root  wheel    11008 Jun  4 21:56:42 2003
/usr/bin/rlogin
< 94465 -r-sr-xr-x  1 root  wheel     8564 Jun  4 21:56:43 2003 /usr/bin/rsh
< 94478 -r-sr-xr-x  1 root  wheel    12308 Jun  4 21:56:44 2003 /usr/bin/su
< 94517 -r-xr-sr-x  1 root  kmem     15532 Jun  4 21:56:48 2003
/usr/bin/vmstat
< 94519 -r-xr-sr-x  1 root  tty      10516 Jun  4 21:56:48 2003
/usr/bin/wall
< 94527 -r-xr-sr-x  1 root  tty       8100 Jun  4 21:56:49 2003
/usr/bin/write
< 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
/usr/bin/ypchfn
< 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
/usr/bin/ypchpass
< 94353 -r-sr-xr-x  6 root  wheel      17892 Jun  4 21:56:32 2003
/usr/bin/ypchsh
< 94452 -r-sr-xr-x  2 root  wheel     5920 Jun  4 21:56:42 2003
/usr/bin/yppasswd
< 96169 -r-sr-xr-x  1 root  wheel     3540 Jun  4 21:55:29 2003
/usr/libexec/pt_chown
< 96150 -r-xr-sr-x  1 root  smmsp   629176 Jun  4 21:57:15 2003
/usr/libexec/sendmail/sendmail
< 108075 -rwsr-xr-x  1 root  daemon    8624 Dec 21 18:00:36 2003
/usr/local/bin/lppasswd
< 73521 -rwsr-xr-x  1 root  wheel   285508 May 23 09:27:21 2003
/usr/local/bin/screen
< 72487 -rws--x--x  1 root  wheel   741976 May 23 11:00:24 2003
/usr/local/bin/sperl5.6.1
< 78399 ---s--x--x  1 root  wheel    86484 May 23 11:56:11 2003
/usr/local/bin/sudo
< 77227 -rwxr-sr-x  1 root  maildrop  108333 Aug 25 02:17:22 2003
/usr/local/sbin/postdrop
< 77253 -rwxr-sr-x  1 root  maildrop   97362 Aug 25 02:17:23 2003
/usr/local/sbin/postqueue
< 96371 -r-xr-sr-x  1 root  daemon     45704 Jun  4 21:57:13 2003
/usr/sbin/lpc
< 96274 -r-sr-xr-x  1 root  wheel      22448 Jun  4 21:57:00 2003
/usr/sbin/mrinfo
< 96276 -r-sr-xr-x  1 root  wheel      31956 Jun  4 21:57:00 2003
/usr/sbin/mtrace
< 96418 -r-sr-xr--  1 root  network   367336 Jun  4 21:57:04 2003
/usr/sbin/ppp
< 96419 -r-sr-x---  1 root  dialer    106692 Jun  4 21:57:05 2003
/usr/sbin/pppd
< 96328 -r-sr-x---  1 root  network    14516 Jun  4 21:57:07 2003
/usr/sbin/sliplogin
< 96337 -r-sr-xr-x  1 root  wheel      16288 Jun  4 21:57:09 2003
/usr/sbin/timedc
< 96338 -r-sr-xr-x  1 root  wheel      23392 Jun  4 21:57:09 2003
/usr/sbin/traceroute
< 96339 -r-sr-xr-x  1 root  wheel      16788 Jun  4 21:57:09 2003
/usr/sbin/traceroute6
< 96340 -r-xr-sr-x  1 root  kmem        8512 Jun  4 21:57:09 2003
/usr/sbin/trpt
mv: rename /var/log/setuid.today to /var/log/setuid.yesterday: No such file
or directory

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

guardian.davemehler.net login failures:

guardian.davemehler.net refused connections:

-- End of security output --