From owner-freebsd-questions@FreeBSD.ORG Tue Apr 13 22:29:05 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CEC416A4CE for ; Tue, 13 Apr 2004 22:29:05 -0700 (PDT) Received: from lakermmtao06.cox.net (lakermmtao06.cox.net [68.230.240.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1A9743D39 for ; Tue, 13 Apr 2004 22:29:02 -0700 (PDT) (envelope-from micheal@tsgincorporated.com) Received: from router.caverns.us.eu.org ([68.227.96.223]) by lakermmtao06.cox.netESMTP <20040414052900.PZMI2585.lakermmtao06.cox.net@router.caverns.us.eu.org>; Wed, 14 Apr 2004 01:29:00 -0400 Received: from dredster ([192.168.1.2])i3E5T1tR038946; Wed, 14 Apr 2004 00:29:01 -0500 (CDT) (envelope-from micheal@tsgincorporated.com) Message-ID: <01a201c421e1$ca40a950$0201a8c0@dredster> From: "Micheal Patterson" To: "dave" , References: <000001c421de$6c67ba10$0200a8c0@satellite> Date: Wed, 14 Apr 2004 00:31:43 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: Re: have i been hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 05:29:05 -0000 ----- Original Message ----- From: "dave" To: Sent: Tuesday, April 13, 2004 11:51 PM Subject: have i been hacked? > Hello, > Wondering if a system on my network has been hacked? At approx 12:30 > this evening the hard disk went crazy, i have been out of town lately and > have not checked any of the machines, when i did the CPU usage was at 15% > which on this machine it never gets above 1 maybe 1.5. So i looked, and i > had nearly 150 processes on the box, 9 running. When i got the daily run > output i noticed the setuid files have changed. Wondering if this box got > hacked and if so where to look to confirm this? And if so, what to do? > Thanks. > Dave. > > > Checking setuid files and devices: > ls: Terminated > : No such file or directory > > guardian.davemehler.net setuid diffs: > 1,52d0 > < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp > < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003 Compared to my 4.9 systems, your rcp is nearly twice the size as it should be. -r-sr-xr-x 1 root wheel 251444 Apr 9 12:05 rcp You didn't say which version you were running but if it's a 4.x, then I'd say you've got a serious issue here. If you're running 5.x then I can't say. -- Micheal Patterson Network Administration TSG Incorporated 405-917-0600