From owner-freebsd-questions@FreeBSD.ORG  Thu Oct 18 17:46:35 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D988516A419
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Oct 2007 17:46:35 +0000 (UTC)
	(envelope-from perrin@apotheon.com)
Received: from outbound-mail-69.bluehost.com (outbound-mail-69.bluehost.com
	[69.89.21.29]) by mx1.freebsd.org (Postfix) with SMTP id 9D01013C48A
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Oct 2007 17:46:35 +0000 (UTC)
	(envelope-from perrin@apotheon.com)
Received: (qmail 18770 invoked by uid 0); 18 Oct 2007 17:46:35 -0000
Received: from unknown (HELO box183.bluehost.com) (69.89.25.183)
	by mailproxy4.bluehost.com with SMTP; 18 Oct 2007 17:46:35 -0000
Received: from c-24-9-123-251.hsd1.co.comcast.net ([24.9.123.251]
	helo=demeter.hydra)
	by box183.bluehost.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68)
	(envelope-from <perrin@apotheon.com>) id 1IiZS6-00063D-HG
	for freebsd-questions@freebsd.org; Thu, 18 Oct 2007 11:46:34 -0600
Received: from demeter.hydra (localhost [127.0.0.1])
	by demeter.hydra (8.13.6/8.13.6) with ESMTP id l9IHl7Bt028497
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Oct 2007 11:47:07 -0600 (MDT)
	(envelope-from perrin@apotheon.com)
Received: (from ren@localhost)
	by demeter.hydra (8.13.6/8.13.6/Submit) id l9IHl62c028496
	for freebsd-questions@freebsd.org; Thu, 18 Oct 2007 11:47:06 -0600 (MDT)
	(envelope-from perrin@apotheon.com)
X-Authentication-Warning: demeter.hydra: ren set sender to perrin@apotheon.com
	using -f
Date: Thu, 18 Oct 2007 11:47:06 -0600
From: Chad Perrin <perrin@apotheon.com>
To: freebsd-questions Questions <freebsd-questions@freebsd.org>
Message-ID: <20071018174706.GA28392@demeter.hydra>
Mail-Followup-To: freebsd-questions Questions <freebsd-questions@freebsd.org>
References: <005801c8107c$8b7b93a0$0202fea9@jarasoft.net>
	<20071017151607.GB51123@gizmo.acns.msu.edu>
	<002101c810f9$10379b80$0202fea9@jarasoft.net>
	<2850867d4a18dfbe5eb8e9586c114af0@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2850867d4a18dfbe5eb8e9586c114af0@gmail.com>
User-Agent: Mutt/1.4.2.3i
X-Identified-User: {737:box183.bluehost.com:apotheon:apotheon.net}
	{sentby:bopbeforesmtp 24.9.123.251 authed with apotheon.com}
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - box183.bluehost.com
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [737 12] / [47 12]
X-AntiAbuse: Sender Address Domain - apotheon.com
Subject: Re: Strange perl script
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2007 17:46:35 -0000

On Thu, Oct 18, 2007 at 01:04:38AM -0500, Joshua Isom wrote:
> If a simple 'locate sploger' shows nothing(run `periodic weekly` which 
> will update your locate database assuming you're keeping things 
> relatively stock), then in all likelihood you've got an intruder.  If 
> some of the other tips posted give no help, and you've got time on your 
> hands, try `grep -l sploger /` and you'll find all files with sploger 
> in it.  If you've been broken into and they're being really tricky, it 
> won't work but odds are they aren't that bright if the process is still 
> in ps's output.

You might also (if you're in a little more of a hurry and taking the
computer out of production for a little bit isn't a problem) boot from a
LiveCD, mount all partitions from your hard drive so they're available
from the LiveCD OS, then updatedb and locate sploger so you're using
tools that haven't been compromised.  Even if it's not actually quicker,
it should *seem* quicker than using grep -- and if grep doesn't work,
this is more likely to work.

In the future, you may want to think about using some kind of integrity
auditing tool to periodically check for unauthorized changes.  Tripwire
is the canonical integrity auditing tool, but you can also use mtree and
even rsync for integrity auditing.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
They always say that when life gives you lemons you should make lemonade. 
I always wonder -- isn't the lemonade going to suck if life doesn't give
you any sugar?