Date: Wed, 14 Apr 2004 00:31:43 -0500 From: "Micheal Patterson" <micheal@tsgincorporated.com> To: "dave" <dmehler26@woh.rr.com>, <freebsd-questions@freebsd.org> Subject: Re: have i been hacked? Message-ID: <01a201c421e1$ca40a950$0201a8c0@dredster> References: <000001c421de$6c67ba10$0200a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "dave" <dmehler26@woh.rr.com> To: <freebsd-questions@freebsd.org> Sent: Tuesday, April 13, 2004 11:51 PM Subject: have i been hacked? > Hello, > Wondering if a system on my network has been hacked? At approx 12:30 > this evening the hard disk went crazy, i have been out of town lately and > have not checked any of the machines, when i did the CPU usage was at 15% > which on this machine it never gets above 1 maybe 1.5. So i looked, and i > had nearly 150 processes on the box, 9 running. When i got the daily run > output i noticed the setuid files have changed. Wondering if this box got > hacked and if so where to look to confirm this? And if so, what to do? > Thanks. > Dave. > > > Checking setuid files and devices: > ls: Terminated > : No such file or directory > > guardian.davemehler.net setuid diffs: > 1,52d0 > < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp > < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003 Compared to my 4.9 systems, your rcp is nearly twice the size as it should be. -r-sr-xr-x 1 root wheel 251444 Apr 9 12:05 rcp You didn't say which version you were running but if it's a 4.x, then I'd say you've got a serious issue here. If you're running 5.x then I can't say. -- Micheal Patterson Network Administration TSG Incorporated 405-917-0600
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01a201c421e1$ca40a950$0201a8c0>