From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 14 09:00:06 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 683BF16A4D1
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 09:00:06 -0700 (PDT)
Received: from idoru.mine.nu (cpc3-cdif2-3-0-cust202.cdif.cable.ntl.com
	[81.103.32.202])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1690C43D53
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2004 09:00:06 -0700 (PDT)
	(envelope-from rasputin@idoru.mine.nu)
Received: from rasputin by idoru.mine.nu with local (Exim 4.22)
	id 1BDmny-0002Rh-9k; Wed, 14 Apr 2004 17:00:02 +0100
Date: Wed, 14 Apr 2004 17:00:02 +0100
From: Dick Davies <rasputnik@hellooperator.net>
To: Luke Kearney <lukek@meibin.net>
Message-ID: <20040414160002.GB9078@lb.tenfour>
References: <000001c421de$6c67ba10$0200a8c0@satellite>
	<20040414144409.F3F8.LUKEK@meibin.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040414144409.F3F8.LUKEK@meibin.net>
User-Agent: Mutt/1.4.2.1i
Sender: Rasputin <rasputin@idoru.mine.nu>
cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: have i been hacked?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Dick Davies <rasputnik@hellooperator.net>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2004 16:00:06 -0000

* Luke Kearney <lukek@meibin.net> [0459 06:59]:
> 
> On Wed, 14 Apr 2004 00:51:06 -0400
> "dave" <dmehler26@woh.rr.com> granted us these pearls of wisdom:
> 
> > Hello,
> >     Wondering if a system on my network has been hacked?
> > ls: Terminated
> > : No such file or directory
 
> > guardian.davemehler.net setuid diffs:
> > 1,52d0
> > < 94240 -r-sr-xr-x  1 root  wheel     448384 Jun  4 21:54:47 2003 /bin/rcp
> > < 117807 -r-sr-x---  1 root  operator  421832 Jun  4 21:55:39 2003
> > /sbin/mksnap_ffs
> > < 117826 -r-sr-xr-x  1 root  wheel     451668 Jun  4 21:55:43 2003
> > /sbin/ping
> > < 117827 -r-sr-xr-x  1 root  wheel     463444 Jun  4 21:55:43 2003
> > /sbin/ping6

> My first suggestion is to have a look at what services are running that
> shouldn't be. A hacked box is not much use to anyone if they cannot use
> it.  Try sockstat -4 and see if there are unusual ( unusual for this box )
> services running such as iirc related services. Take a look at your mail
> logs and see if there is unusual mail traffic.

If the box has been taken, you can't trust the binaries any more.
 
> If the attacker is still logged in ( probably unlikely ) you might get a
> hint from netstat -NA |grep ESTABLISHED 

-- 
Menu, n.:
	A list of dishes which the restaurant has just run out of.
Rasputin :: Jack of All Trades - Master of Nuns