Date: Thu, 18 Oct 2001 06:22:51 -0600 From: "Tomek" <tomek@mpionline.com> To: <freebsd-questions@FreeBSD.ORG> Subject: I got hacked, I think Message-ID: <011e01c157cf$9b401700$f6f073d1@mpionline.com> References: <20011018131823.Y621-100000@jodie.ncptiddische.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello there, Hope I dont sound like a fool posting 2 seperate problems in the same day. But while looking for the first problem I found many unusual things. I will try to keep it to the point to not waste anyone's time. I appreciate ANY help. ===WHAT I FOUND (quick snips)=== =IN /etc/passwd: l-x:*:1003:0:User &:/home/l-x:/bin/sh =IN /etc/master.passwd: l-x:$4$(snip):1003:0::0:0:User &:/home/l-x:/bin/sh =IN /var/log/userlog: 2001-10-06 14:00:17 [unknown:useradd] l-x(1003):wheel(0):User &:/home/l-x:/bin/sh =NOTE: my crashing/rebooting problem mentioned earlier started on 9/9/01 =NOTE: "adduser" log shows nothing =IN security summary for 9/20/01: (I found it bizarre) P7.mpionline.com kernel log messages: > CPU: Pentium III/Pentium III Xeon/Celeron (701.59-MHz 686-class CPU) =IN security summary for 9/27/01: 58c58 < 2539603 -r-xr-sr-x 1 bin mail 26292 Apr 19 13:11:11 2001 /usr/local/libexec/cucipop > 2539603 -r-xr-sr-x 1 bin mail 26292 Apr 19 13:11:11 2001 /usr/local/bin/bzcat =IN security summary for 10/06/01: 58a59 > 2547533 ---s--x--x 1 Broot wheel 83004 Sep 26 21:42:25 2001 /usr/local/bin/sudo =IN /var/log/messages: messages:Oct 6 14:01:00 P7 login: LOGIN l-x REFUSED (ACCESS) FROM 212.199.120.9 8 ON TTY ttyp0 messages:Oct 6 14:01:21 P7 login: LOGIN l-x REFUSED (ACCESS) FROM 212.199.120.9 8 ON TTY ttyp0 =IN setuid.today I see a LOT of entries, even though I haven't been doing anything. For example: 4515661 -rwsr-xr-x 1 Broot news 7347 Apr 18 20:45:13 2001 /usr/local/news /bin/auth/passwd/ckpasswd 4150643 -r-sr-x--- 1 Broot news 32202 Apr 18 20:44:09 2001 /usr/local/news /bin/inndstart =NOTE: I found my my /var/log/security EMPTY =VERSION: FreeBSD 4.3-RELEASE (GENERIC) #0: Sat Apr 21 10:54:49 GMT 2001 ===COMMENTS=== I know I was NOT doing anything on 09/27/01, 10/06/01 or any of the days in question, so I know it wasn't me. I do not allow ANY accounts on our server other than my own, and I do not use passwords that I use anywhere else. ===QUESTIONS=== Forgive me if this is overwhelming, I have no idea what else to do but ask questions. I have browsed around the usual resources but I am asking these question in context of above, not in general really. Is it normal for /var/log/security to be empty? Is it normal to have lots of entries in setuid.today (ie: is it caused by general server activity)? Any suggestions of what logs/places I should check next to find out WHAT has been done to my system and what it was used for? (ie: a connection log to see when this hacker was connecting, if it exists). Any other help. TY EVERYONE WHO HELPS, I really and truly appreciate this in my moment of panic. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011e01c157cf$9b401700$f6f073d1>