Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 09 May 2003 08:40:34 -0500
From:      Peter Elsner <peter@servplex.com>
To:        freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG
Subject:   Hacked?
Message-ID:  <5.2.0.9.2.20030509083519.01813eb8@mail.servplex.com>

next in thread | raw e-mail | index | archive | help
This morning, I noticed in my security email, that my entire /usr/bin 
directory had setuid diff's set on them.

I think I've been hacked.  So I installed chkrootkit from ports and ran 
it.  It showed not infected for everything,
except NETSTAT.  NETSTAT showed infected...

I ran chkrootkit for another machine (at my office), and it showed not 
infected for everything.

Both machines are running 4.7-STABLE.

I can re-install and restore my data, that's not a problem, but I am a 
little confused... When listing
any directories, I see the following:

drwxr-xr-x   3 root  wheel    18944 f 16:35 dev
drwxr-xr-x   2 root  wheel      512 f  2002 dist
drwxr-xr-x  17 root  wheel     4608 f 08:35 etc
lrwxr-xr-x   1 root  wheel        9 f  2002 home -> /usr/home
-r-xr-xr-x   1 root  wheel  2326346 f 06:51 kernel
-r-xr-xr-x   1 root  wheel  3258128 f  2000 kernel.GENERIC
-r-xr-xr-x   1 root  wheel  2301572 f  2002 kernel.old
drwxrwxrwx   2 root  wheel      512 f  2002 lib
drwxrwxrwx   3 root  wheel      512 f  2002 log
lrwxr-xr-x   1 root  wheel       19 f  2002 logfiles -> /usr/local/www/logs
drwxr-xr-x   2 root  wheel      512 f  2000 mnt
drwxr-xr-x   2 root  wheel     4096 f 06:52 modules
drwxr-xr-x   2 root  wheel     4096 f 06:51 modules.old
drwxr-xr-x   2 root  wheel      512 f  2002 old
dr-xr-xr-x   1 root  wheel      512 f 08:37 proc
drwxrwxrwx   2 root  wheel      512 f 18:58 ris_datalogs
drwxr-xr-x   4 root  wheel      512 f  2002 root
drwxr-xr-x   2 root  wheel     2048 f 04:36 sbin
drwxr-xr-x   5 root  wheel     1024 f  2002 stand
lrwxr-xr-x   1 root  wheel       11 f 18:04 sys -> usr/src/sys
drwxrwxrwt   4 root  wheel      512 f 08:36 tmp
drwxr-xr-x  19 root  wheel      512 f  2002 usr
drwxr-xr-x  22 root  wheel      512 f  2002 var
lrwxr-xr-x   1 root  wheel       19 f  2002 www -> /usr/local/www/data

Notice the f in place of the date?   What does that mean?


Does it look like I've been hacked?

I've already changed all my passwords.

Any insight on the f in the date would be appreciated.

Thanks in advance

Peter


----------------------------------------------------------------------------------------------------------
Peter Elsner <peter@servplex.com>
Vice President Of Customer Service (And System Administrator)
1835 S. Carrier Parkway
Grand Prairie, Texas 75051
(972) 263-2080 - Voice
(972) 263-2082 - Fax
(972) 489-4838 - Cell Phone
(425) 988-8061 - eFax

I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin

Unix IS user friendly... It's just selective about who its friends are.
System Administration - It's a dirty job, but somebody said I had to do it.
If you receive something that says 'Send this to everyone you know,
pretend you don't know me.

Standard $500/message proofreading fee applies for UCE.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.2.20030509083519.01813eb8>