From owner-freebsd-security@FreeBSD.ORG  Sun Dec  7 09:25:41 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 168FB16A4CE
	for <freebsd-security@freebsd.org>;
	Sun,  7 Dec 2003 09:25:41 -0800 (PST)
Received: from mordrede.visionsix.com (mordrede.visionsix.com [65.202.119.3])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CB15943FAF
	for <freebsd-security@freebsd.org>;
	Sun,  7 Dec 2003 09:25:37 -0800 (PST)
	(envelope-from lists@visionsix.com)
Received: from vsis169 (unverified [65.202.119.169]) by mordrede.visionsix.com
 (Vircom SMTPRS 3.0.273) with SMTP id <B0002151925@mordrede.visionsix.com>;
 Sun, 7 Dec 2003 11:25:36 -0600
Message-ID: <001301c3bce7$217419b0$df0a0a0a@visionsix.net>
From: "Lewis Watson" <lists@visionsix.com>
To: "Craig Riter" <criter@riter.com>, <freebsd-security@freebsd.org>
References: <000b01c3bce5$a411f9c0$65ffa8c0@EOS>
Date: Sun, 7 Dec 2003 11:25:38 -0600
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: Re: possible compromise or just misreading logs
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Dec 2003 17:25:41 -0000

> So, my question is did I have a break-in?  This machine is accessable
only
> as a web server through NAT and ipfw (if I configed my ipfw correctly).
I
> had just installed the Apache 1.3.29.
>
> Second, what are people using for intrusion detection?  This is
something I
> have thought about but never really thought I needed until now.


Hi Craig,
Are you sure that you did not install any of the ports around this time?
Usually you would see this type activity when a program is installed.  You
should probably do a ps aux and sockstat -4 to see what is running and
open.

There are two programs that I am familiar with to monitor changes..
chkrootkit and tripwire. Chkrootkit is trivial to install but tripwire is
a much more complete package.

I am sure there are others here that can provide much more insight to
this.
Thanks.
Lewis