From owner-freebsd-security Fri Oct 29 11:40:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail2.mco.bellsouth.net (mail2.mco.bellsouth.net [205.152.48.14]) by hub.freebsd.org (Postfix) with ESMTP id 0846A154E5 for ; Fri, 29 Oct 1999 11:40:39 -0700 (PDT) (envelope-from bertke@bellsouth.net) Received: from bellsouth.net (adsl-78-197-184.sdf.bellsouth.net [216.78.197.184]) by mail2.mco.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id OAA01349; Fri, 29 Oct 1999 14:39:07 -0400 (EDT) Message-ID: <3819E935.16B59880@bellsouth.net> Date: Fri, 29 Oct 1999 18:36:38 +0000 From: Bert Kellerman X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.0.36 i386) X-Accept-Language: en MIME-Version: 1.0 To: Beck David Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Strange things on my computer / Help References: <1BD5A68BE9E8D211BBE8006094B9EB73E97C@netfinity.freesoft.hu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FYI Here is a pretty good general guide by CERT on what action to take after your UNIX box has been compromised. http://www.cert.org/tech_tips/root_compromise.html Bert Beck David wrote: > This is the first time I write to the list, Big Hello To All, > > I administer a host on the Internet which basically doesn't really > do anything. I installed some services like www,ftp,ssh,qmail > / no big deal. > > I started playing with this machine 10 month ago. Since that I found > a handful of strange thingies: > > - my wtmp files turn on each month, but after a short while allways > gets corrupted > - if I run who, it doesn't show any user > - if I run last, it shows a big pile of garbage > - I filter out ICMP totally, which is OK for me > - but the kernel complains in every 10 minutes for some _out_ going > ICMP packets, which goes to two hosts. I am absolutely sure > that nor me nor any of my programs has nothing to do with that hosts > - when I found this I started to look for the program which generates > the ICMP packets but I didn't find anything > - I checked the cron rules, but I didn't find anything > - then I turned off the setuid bits from nearly every program on my > host including ping and traceroute, but didn't help > > Do you guys suspect that my machine got exploited ? /I do, but I can't > prove it./ > > Any ideas ? > > Thx, David. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message