Date: Wed, 14 Apr 2004 16:08:08 +0000 From: Daniela <dgw@liwest.at> To: Remko Lodder <remko@elvandar.org>, freebsd-questions@freebsd.org Subject: Re: have i been hacked? Message-ID: <200404141608.08788.dgw@liwest.at> In-Reply-To: <407D08FD.1080708@elvandar.org> References: <200404140933.i3E9XdSE000461@mist.nodomain> <407D08FD.1080708@elvandar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 14 April 2004 09:48, Remko Lodder wrote: > Dan Strick wrote: > >> ... > >>When i got the daily run > >>output i noticed the setuid files have changed. Wondering if this box got > >>hacked and if so where to look to confirm this? > >> ... > >> > >> Checking setuid files and devices: > >> ls: Terminated > >> > >> : No such file or directory > >> > >> guardian.davemehler.net setuid diffs: > >> 1,52d0 > >> < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 > >> /bin/rcp ... [...] > aragorn# ls -l /bin/rcp > -r-sr-xr-x 1 root wheel 18392 Feb 23 20:41 /bin/rcp > > (notice the size!, someone mentioned that already on the list..) > > So obviously something weird happened. That needn't be the case. Mine is 932532 bytes long (and it was already that size after a fresh reinstall). And why? Debug symbols. I love to have them everywhere. Try to strip the file, and it will be much shorter. Daniela
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404141608.08788.dgw>