From owner-freebsd-isp Tue Dec 4 7:48:42 2001 Delivered-To: freebsd-isp@freebsd.org Received: from infiniteloop.ca (infiniteloop.ca [216.126.86.53]) by hub.freebsd.org (Postfix) with ESMTP id 8E26D37B417 for ; Tue, 4 Dec 2001 07:48:39 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by infiniteloop.ca (Postfix) with ESMTP id B00211F7; Tue, 4 Dec 2001 10:48:38 -0500 (EST) Received: from blake (CPE0050DA7C7E5D.cpe.net.cable.rogers.com [24.101.32.246]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by infiniteloop.ca (Postfix) with ESMTP id E7AF219; Tue, 4 Dec 2001 10:48:37 -0500 (EST) From: "Blake Crosby" To: , Subject: Weird file in /root Date: Tue, 4 Dec 2001 10:47:08 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-Virus-Scanned: by AMaViS snapshot-20010714 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am somewhat concerned at this file I found: 7524 -rwsr-sr-t 1 root wheel 0 Nov 30 16:41:10 2001 /root/gA/1)OKR iz )W*N8g?a^' %߾teu?*!!צXRms:|eK"G  I did delete the file as soon as I found it, since the setUID bit was active. I am thinking that this machine has been comprimised - but I am not sure how. Any pointers on how about I should go investigating this situation? Blake To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message