From owner-freebsd-security@FreeBSD.ORG  Sun May 11 11:03:23 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 44B3D37B401
	for <freebsd-security@freebsd.org>;
	Sun, 11 May 2003 11:03:23 -0700 (PDT)
Received: from eterna.binary.net (eterna.binary.net [216.229.0.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A222A43FB1
	for <freebsd-security@freebsd.org>;
	Sun, 11 May 2003 11:03:22 -0700 (PDT)
	(envelope-from goatee@binary.net)
Received: from matrix.binary.net (matrix.binary.net [216.229.0.2])
	by eterna.binary.net (Postfix) with ESMTP
	id 5D383B4381; Sun, 11 May 2003 13:03:15 -0500 (CDT)
Received: by matrix.binary.net (Postfix, from userid 1021)
	id 48BDB102817; Sun, 11 May 2003 13:03:21 -0500 (CDT)
Date: Sun, 11 May 2003 13:03:21 -0500
From: Blaine Kahle <goatee@binary.net>
To: Brett Glass <brett@lariat.org>
Message-ID: <20030511180321.GB37652@binary.net>
References: <A695FEAC-8224-11D7-B2CA-000393C94468@sarenet.es>
	<A695FEAC-8224-11D7-B2CA-000393C94468@sarenet.es>
	<4.3.2.7.2.20030509110012.03940680@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4.3.2.7.2.20030509110012.03940680@localhost>
User-Agent: Mutt/1.4.1i
cc: freebsd-security@freebsd.org
Subject: Re: Hacked?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 May 2003 18:03:23 -0000

On Fri, May 09, 2003 at 11:01:21AM -0600, Brett Glass wrote:
> At 08:25 AM 5/9/2003, Bjoern A. Zeeb wrote:
> 
> >this asumes that truss is ok ;-) perhaps take the truss from your
> >other 4.7 machine ...
> 
> Yes, you do have to be careful of this. I recently investigated a
> machine that had been "owned," and when truss was applied to some
> commands (e.g. netstat) it produced no output.

I'm showing that truss'ing netstat produces no output on several
versions of FreeBSD that I have installed. Is this correct behavior? The
truss and netstat binaries both check out when compared to the listings
at http://www.knowngoods.org/

-- 
Blaine Kahle
blaine@binary.net
0x178AA0E0