From owner-freebsd-questions@FreeBSD.ORG Wed Apr 14 14:29:20 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45D2F16A4CE for ; Wed, 14 Apr 2004 14:29:20 -0700 (PDT) Received: from mail.aseed.antenna.nl (213-84-107-7.adsl.xs4all.nl [213.84.107.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6CA743D39 for ; Wed, 14 Apr 2004 14:29:19 -0700 (PDT) (envelope-from albi@aseed.antenna.nl) Received: from no-gmo (unknown [192.168.0.7]) by assata (Postfix) with ESMTP id 25EE71A9A7 for ; Wed, 14 Apr 2004 17:48:49 +0200 (CEST) Received: from no-gmo (no-gmo [127.0.0.1]) by no-gmo (Postfix) with SMTP id 1E93077523 for ; Wed, 14 Apr 2004 17:27:27 +0200 (CEST) Date: Wed, 14 Apr 2004 17:27:26 +0200 From: albi To: freebsd-questions@freebsd.org Message-Id: <20040414172726.39d70705.albi@aseed.antenna.nl> In-Reply-To: <200404141608.08788.dgw@liwest.at> References: <200404140933.i3E9XdSE000461@mist.nodomain> <407D08FD.1080708@elvandar.org> <200404141608.08788.dgw@liwest.at> X-Mailer: Sylpheed version 0.9.7 (GTK+ 1.2.10; i386-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: have i been hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 21:29:20 -0000 On Wed, 14 Apr 2004 16:08:08 +0000 Daniela wrote: > > aragorn# ls -l /bin/rcp > > -r-sr-xr-x 1 root wheel 18392 Feb 23 20:41 /bin/rcp > > > > (notice the size!, someone mentioned that already on the list..) > > > > So obviously something weird happened. > > That needn't be the case. Mine is 932532 bytes long (and it was already that > size after a fresh reinstall). > And why? Debug symbols. I love to have them everywhere. > Try to strip the file, and it will be much shorter. apart from that, does one really need "rcp" at all ? i recommend to delete as much as possible your setuid-apps, use jails for your services and read security-howtos and if you really think your box is cracked, reinstall from scratch (and you'll sleep better at night :) when it comes to rootkits, try also : rkhunter from http://www.rootkit.nl HTH,GL!