From owner-freebsd-questions Thu Aug 8 20:57:27 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FFEC37B401 for ; Thu, 8 Aug 2002 20:57:24 -0700 (PDT) Received: from vms4.rit.edu (vms4.isc.rit.edu [129.21.3.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id B75B843E72 for ; Thu, 8 Aug 2002 20:57:23 -0700 (PDT) (envelope-from bjm1287@ritvax.isc.rit.edu) Received: from dogbert ([129.21.131.177]) by ritvax.isc.rit.edu (PMDF V5.2-32 #40294) with ESMTPA id <01KL2NX5TDN6M8DK7L@ritvax.isc.rit.edu> for freebsd-questions@freebsd.org; Thu, 8 Aug 2002 23:57:18 EDT Date: Thu, 08 Aug 2002 23:57:24 -0400 From: Brian McCann Subject: RE: strange ls and date commands (innocent or suspicious?) In-reply-to: <055301c23f56$d3c5fb20$6401a8c0@crotchett.com> To: 'Darren' , 'fbsd-questions' Message-id: <000501c23f58$df4295b0$2e00a8c0@dogbert> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook, Build 10.0.2616 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I can't say on those files...but just based on an odd line that you didn't put in your passwd file could (and I would take it as it does) indicate that the box was compromised. It's not entirely impossible for the box to have been cracked into via your FTP server. I'm not really knowledgeable enough to make any reasons...but I have heard of people hacking into servers running wu-ftp. Hope I helped. --Brian -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of Darren Sent: Thursday, August 08, 2002 11:43 PM To: fbsd-questions Subject: strange ls and date commands (innocent or suspicious?) I came across two files "ls" and "date" in an odd place with slightly different permissions and different groups. I'm running 4.6 with some stuff backed up from 4.4. It seems that I copied them from my old box. I don't think this box has been compromised. Nothing other than port 80 and 25 have ever been open, plus I keep a close watch on it with aide. It's a new install and I'm keeping it up-to-date. But, I wonder if my old one was. Do you think these filenames are suspicious? Do they have logical explanations? in /hd2/var/ftp/bin, I have: ---x--x--x 1 root operator 298904 Jun 16 09:39 ls ---x--x--x 1 root operator 185792 Jun 16 09:39 date in /bin, I have: -r-xr-xr-x 1 root wheel 298904 Jun 10 23:18 /bin/ls -r-xr-xr-x 1 root wheel 185792 Jun 10 23:18 /bin/date scsibox# which ls /bin/ls scsibox# which date /bin/date Also, I found this entry in /etc/passwd: ftp:*:14:5::0:0:Anonymous FTP Admin:/hd2/var/ftp:/nonexistent I took it out. But, it sort of explains why I had /hd2/var/bin and /hd2/var/etc directories. TIA, Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message