From owner-freebsd-hackers@FreeBSD.ORG  Sat Jan 14 18:27:47 2006
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0875316A41F
	for <freebsd-hackers@freebsd.org>; Sat, 14 Jan 2006 18:27:47 +0000 (GMT)
	(envelope-from lists@nabble.com)
Received: from talk.nabble.com (www.nabble.com [72.21.53.35])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 66F2943D45
	for <freebsd-hackers@freebsd.org>; Sat, 14 Jan 2006 18:27:46 +0000 (GMT)
	(envelope-from lists@nabble.com)
Received: from localhost ([127.0.0.1] helo=talk.nabble.com)
	by talk.nabble.com with esmtp (Exim 4.50) id 1Exq7t-00085a-MR
	for freebsd-hackers@freebsd.org; Sat, 14 Jan 2006 10:27:45 -0800
Message-ID: <2381067.post@talk.nabble.com>
Date: Sat, 14 Jan 2006 10:27:45 -0800 (PST)
From: "anchor (sent by Nabble.com)" <lists@nabble.com>
To: freebsd-hackers@freebsd.org
In-Reply-To: <2374502.post@talk.nabble.com>
MIME-Version: 1.0
X-Nabble-Sender: Nabble Forums <lists@nabble.com>
X-Nabble-From: anchor <jacquejiang@hotmail.com>
References: <2374502.post@talk.nabble.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Re: My machine been hacked, I need help
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: anchor <jacquejiang@hotmail.com>
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2006 18:27:47 -0000


Many thanks to all the replies. I need more time to understand them ;) 
I have taken off my machine from the internet to protect further damage. It takes me time to research it since I'm not that experienced in the system. The machine was hacked my my former system admin. But I need evidence. He put his machine IP into my rc.firewall file to allow him sudo. That's the only evidence I found. By the way, do sudo also leave logfile somewhere?

There is another problem: The hacker also changed something or maybe added a backend process to auto log me out within 1 minute idle. I checked .profile of my account and  the root acount. It very hard for to stay a screen and thinking, investigating, etc.
--
View this message in context: http://www.nabble.com/My-machine-been-hacked%2C-I-need-help-t915435.html#a2381067
Sent from the freebsd-hackers forum at Nabble.com.