Date: Mon, 9 Jun 2003 21:32:14 -0400 From: Ken Ebling <deevil@deevil.homeunix.org> To: security@freebsd.org Subject: Have I been hacked? Message-ID: <5D6A2AB8-9AE3-11D7-9B57-000393CAE6EC@deevil.homeunix.org>
next in thread | raw e-mail | index | archive | help
I'm noticing something strange on two of my machines.. They're both 4.7-RELEASE-p3 i386 and they've both been up 150 days without any problems... /var/log/messages on each system contains only: Jun 9 12:00:01 in newsyslog[60291]: logfile turned over dmesg's output is truncated.. it periodically changes, but currently it reads: ite.net host=6532251hfc207.tampabay.rr.com [65.32.251.207] What's really weird, is yesterday the messages file also only contained the line about the log being turned over, but today I unzipped messages.0 and it had entries for yesterday. I'm going to check messages.0 again after midnight and see if any of today's entries are there. Hindsight is always 20/20, and now I wish I had tripwire or aide installed. =/ I rebooted one of the machines, and now it seems to be acting normal again.. I going to rebuild world on all my systems and install tripwire anyways, but I'm kind of curious as to whether my machines have been rooted or not. I don't know if chkrootkit v0.40 is very accurate or even worthwhile, but it reported no problems. I also checked for standard stuff like suid binaries and accounts with a uid of 0. Nothing looks out of place, aside from the messages file being empty and suddenly filling with data before newsyslog gzips it. Any thoughts would be greatly appreciated, Ken Ebling
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5D6A2AB8-9AE3-11D7-9B57-000393CAE6EC>