From owner-freebsd-hackers@FreeBSD.ORG Sat Jan 14 04:17:16 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A380816A41F for ; Sat, 14 Jan 2006 04:17:16 +0000 (GMT) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AB3A43D48 for ; Sat, 14 Jan 2006 04:17:16 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.17.229]) ([10.251.17.229]) by a50.ironport.com with ESMTP; 13 Jan 2006 20:17:16 -0800 X-IronPort-Anti-Spam-Filtered: true Message-ID: <43C87B4B.1080606@elischer.org> Date: Fri, 13 Jan 2006 20:17:15 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.11) Gecko/20050727 X-Accept-Language: en-us, en MIME-Version: 1.0 To: anchor , hackers@freebsd.org References: <2374502.post@talk.nabble.com> In-Reply-To: <2374502.post@talk.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: My machine been hacked, I need help X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2006 04:17:16 -0000 anchor (sent by Nabble.com) wrote: >My machine been hacked. The message file was modified. Old dated backup files are deleted. The last log was truncated. You are gurus. Would you please tell me where I can find out other trace file or logfiles to figure out where the hacker come from? > >Thanks a lot. >-- >View this message in context: http://www.nabble.com/My-machine-been-hacked%2C-I-need-help-t915435.html#a2374502 >Sent from the freebsd-hackers forum at Nabble.com. >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > > If you can get into the kernel debugger you may try to do a ps from there and see if there are any strange processes running. of course the first thing to do is physically unplug the machine. then make a backup for forensic purposes if you can. you don't say what version of the system it is and what it runs as services. there are rootkit finders in the ports under 'security' if you installed from CD see if you can get it from there..