From owner-freebsd-questions  Wed Jul 24 16:42: 1 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1359F37B400
	for <freebsd-questions@freebsd.org>; Wed, 24 Jul 2002 16:41:53 -0700 (PDT)
Received: from labs.unixhideout.com (dsl-65-187-193-189.telocity.com [65.187.193.189])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 030F643E42
	for <freebsd-questions@freebsd.org>; Wed, 24 Jul 2002 16:41:52 -0700 (PDT)
	(envelope-from sagacious@unixhideout.com)
Received: from MIKESBOX ([192.168.1.10])
	by labs.unixhideout.com (8.12.5/8.12.3) with ESMTP id g6ONfrX2068481
	for <freebsd-questions@freebsd.org>; Wed, 24 Jul 2002 19:41:53 -0400 (EDT)
	(envelope-from sagacious@unixhideout.com)
From: "sagacious" <sagacious@unixhideout.com>
To: <freebsd-questions@freebsd.org>
Subject: heh
Date: Wed, 24 Jul 2002 19:41:50 -0400
Message-ID: <000601c2336b$aea3e8d0$0a01a8c0@MIKESBOX>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0007_01C2334A.279248D0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

This is a multi-part message in MIME format.

------=_NextPart_000_0007_01C2334A.279248D0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

There is a file in my website root called ?*
 
I knew I didn't make the file so I made a test directory called foo went
into it and touched some quick files and directories. I typed rm ?* and
sure as I thought it deleted all the test files. Someone really has it
out for me lately. I think my box has been compromised and im not sure
where to start. They got in via that god damn sshd exploit so I closed
the port in my router. How do I remove this file without messing up my
box.
 
sagacious (Mike)
Network administrator
The unixhideout network
http://www.unixhideout.com
 

------=_NextPart_000_0007_01C2334A.279248D0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml@01C2334A.27584D10">
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Lucida Console";
	panose-1:2 11 6 9 4 5 4 2 2 4;
	mso-font-charset:0;
	mso-generic-font-family:modern;
	mso-font-pitch:fixed;
	mso-font-signature:-2147482993 6144 0 0 31 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;
	text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;
	text-underline:single;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	mso-style-noshow:yes;
	mso-ansi-font-size:10.0pt;
	mso-bidi-font-size:10.0pt;
	font-family:"Lucida Console";
	mso-ascii-font-family:"Lucida Console";
	mso-hansi-font-family:"Lucida Console";
	color:black;
	font-weight:normal;
	font-style:normal;
	text-decoration:none;
	text-underline:none;
	text-decoration:none;
	text-line-through:none;}
span.SpellE
	{mso-style-name:"";
	mso-spl-e:yes;}
span.GramE
	{mso-style-name:"";
	mso-gram-e:yes;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;
	mso-header-margin:.5in;
	mso-footer-margin:.5in;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */=20
 table.MsoNormalTable
	{mso-style-name:"Table Normal";
	mso-tstyle-rowband-size:0;
	mso-tstyle-colband-size:0;
	mso-style-noshow:yes;
	mso-style-parent:"";
	mso-padding-alt:0in 5.4pt 0in 5.4pt;
	mso-para-margin:0in;
	mso-para-margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:10.0pt;
	font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3D"Lucida =
Console"><span
style=3D'font-size:10.0pt;font-family:"Lucida =
Console";color:black'>There is a
file in my website root <span class=3DGramE>called =
?*</span><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3D"Lucida =
Console"><span
style=3D'font-size:10.0pt;font-family:"Lucida =
Console";color:black'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3D"Lucida =
Console"><span
style=3D'font-size:10.0pt;font-family:"Lucida Console";color:black'>I =
knew I didn&#8217;t
make the file so I made a test directory called <span =
class=3DSpellE>foo</span>
went into it and touched some quick files and directories. I typed <span
class=3DSpellE><span class=3DGramE>rm</span></span><span class=3DGramE> =
?</span>* and
sure as I thought it deleted all the test files. Someone really has it =
out for
me lately. I think my box has been compromised and <span =
class=3DSpellE>im</span>
not sure where to start. They got in via that god damn <span =
class=3DSpellE>sshd</span>
exploit so I closed the port in my router. How do I remove this file =
without
messing up my box.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3D"Lucida =
Console"><span
style=3D'font-size:10.0pt;font-family:"Lucida =
Console";color:black'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3D"Lucida =
Console"><span
style=3D'font-size:10.0pt;font-family:"Lucida =
Console";color:black;mso-no-proof:
yes'>sagacious (Mike)</span></font><font color=3Dblack><span =
style=3D'color:black;
mso-no-proof:yes'><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3D"Lucida =
Console"><span
style=3D'font-size:10.0pt;font-family:"Lucida =
Console";color:black;mso-no-proof:
yes'>Network administrator</span></font><font color=3Dblack><span
style=3D'color:black;mso-no-proof:yes'><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3D"Lucida =
Console"><span
style=3D'font-size:10.0pt;font-family:"Lucida =
Console";color:black;mso-no-proof:
yes'>The unixhideout network</span></font><font color=3Dblack><span
style=3D'color:black;mso-no-proof:yes'><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3D"Lucida =
Console"><span
style=3D'font-size:10.0pt;font-family:"Lucida =
Console";color:black;mso-no-proof:
yes'><a =
href=3D"http://www.unixhideout.com">http://www.unixhideout.com</a></span>=
</font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------=_NextPart_000_0007_01C2334A.279248D0--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message