From owner-freebsd-isp Tue Dec 4 9: 7:58 2001 Delivered-To: freebsd-isp@freebsd.org Received: from smarthost1.enta.net (smarthost1.enta.net [195.74.96.49]) by hub.freebsd.org (Postfix) with ESMTP id 42E2237B416 for ; Tue, 4 Dec 2001 09:07:52 -0800 (PST) Received: from virus2.enta.net (virus2.enta.net [195.74.96.44]) by smarthost1.enta.net (8.11.3/8.11.3) with ESMTP id fB4H8xi47725; Tue, 4 Dec 2001 17:09:00 GMT (envelope-from steve@enta.net) Received: (from root@localhost) by virus2.enta.net (8.11.6/8.11.6) id fB4HF4w13573; Tue, 4 Dec 2001 17:15:04 GMT (envelope-from steve@enta.net) Received: from steve2 (steve2.enta.net [195.74.96.98]) by virus2.enta.net (8.11.6/8.11.6) with SMTP id fB4HF2h13490; Tue, 4 Dec 2001 17:15:02 GMT (envelope-from steve@enta.net) Message-ID: <031201c17ce6$3b3cd7d0$62604ac3@steve2> From: "Steve Lalonde" To: "Blake Crosby" , , References: Subject: Re: Weird file in /root Date: Tue, 4 Dec 2001 17:08:01 -0000 MIME-Version: 1.0 X-Virus-Scanned: by Entanet Virus Protection Team - (http://www.enta.net/) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This could also be output from a tar xvf filename.tar.gz that should have been tar xvfz filename.tar.gz I did this once on ports.tar.gz what a mess that made. Steve Lalonde Chief Technical Officer Entanet International Ltd http://www.enta.net/ *********************************************************************** IMPORTANT: DISCLAIMER NOTICE This email (and any attachment thereto) is confidential, and may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and notify the sender. Any views expressed in this e-mail are those of the individual sender, not those of the company unless endorsed by a Director of Entanet International Ltd. *********************************************************************** ----- Original Message ----- From: "Blake Crosby" To: ; Sent: Tuesday, December 04, 2001 3:47 PM Subject: Weird file in /root > I am somewhat concerned at this file I found: > > 7524 -rwsr-sr-t 1 root wheel 0 Nov 30 16:41:10 2001 > /root/gA /,1.)OKR iz > )W*N8g?-a^' %߾z?teu?*!S?!צXRms:T|eYK"G  > > I did delete the file as soon as I found it, since the setUID bit was > active. I am thinking that this machine has been comprimised - but I am not > sure how. > > Any pointers on how about I should go investigating this situation? > > Blake > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message