From owner-freebsd-questions Thu Oct 18 5:38: 1 2001 Delivered-To: freebsd-questions@freebsd.org Received: from void.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 3E56237B408 for ; Thu, 18 Oct 2001 05:37:53 -0700 (PDT) Received: from mailserv.xpert.com ([199.203.132.135]) by void.xpert.com with esmtp (Exim 3.20 #1) id 15uBT4-0004iR-00; Thu, 18 Oct 2001 13:36:06 +0200 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id <472JM5N0>; Thu, 18 Oct 2001 14:37:35 +0200 Message-ID: From: Yonatan Bokovza To: 'Tomek' , freebsd-questions@FreeBSD.ORG Subject: RE: I got hacked, I think Date: Thu, 18 Oct 2001 14:37:35 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > ===QUESTIONS=== > > Is it normal for /var/log/security to be empty? from syslog.conf(5): # Log all security messages to a separate file. security.* /var/log/security If you don't have any "security messages" it can bve empty. Mine is. > Is it normal to have lots of entries in setuid.today (ie: is it caused > by general server activity)? That depends on what do you define as "general server activity". After "installworld", for example, you'll a list of all the changed suid-files, which is lots. > Any suggestions of what logs/places I should check next to > find out WHAT > has been done to my system and what it was used for? (ie: a connection > log to see when this hacker was connecting, if it exists). Most of /var/log. If you think you've been hacked, see chkrootkit from the ports, or www.cert.org for "what to do if you've been hacked". See also last(1) utmp(5) and /var/log/lastlog, and user's ~/.history files. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message