From owner-freebsd-security@FreeBSD.ORG  Mon Jun  9 18:32:21 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A257837B401
	for <security@freebsd.org>; Mon,  9 Jun 2003 18:32:21 -0700 (PDT)
Received: from in.flite.net (in.flite.net [207.203.36.254])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F089E43FAF
	for <security@freebsd.org>; Mon,  9 Jun 2003 18:32:20 -0700 (PDT)
	(envelope-from deevil@deevil.homeunix.org)
Received: from deevil.homeunix.org (adsl-34-189-185.bct.bellsouth.net
	[67.34.189.185])
	by in.flite.net (8.12.6/8.12.6) with ESMTP id h5A1WJBY088965
	for <security@freebsd.org>; Mon, 9 Jun 2003 21:32:19 -0400 (EDT)
	(envelope-from deevil@deevil.homeunix.org)
Date: Mon, 9 Jun 2003 21:32:14 -0400
Mime-Version: 1.0 (Apple Message framework v552)
Content-Type: text/plain; charset=US-ASCII; format=flowed
From: Ken Ebling <deevil@deevil.homeunix.org>
To: security@freebsd.org
Content-Transfer-Encoding: 7bit
Message-Id: <5D6A2AB8-9AE3-11D7-9B57-000393CAE6EC@deevil.homeunix.org>
X-Mailer: Apple Mail (2.552)
Subject: Have I been hacked?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2003 01:32:21 -0000

I'm noticing something strange on two of my machines..  They're both 
4.7-RELEASE-p3 i386 and they've both been up 150 days without any 
problems...

/var/log/messages on each system contains only:
  Jun  9 12:00:01 in newsyslog[60291]: logfile turned over

dmesg's output is truncated..  it periodically changes, but currently 
it reads:
ite.net host=6532251hfc207.tampabay.rr.com [65.32.251.207]

What's really weird, is yesterday the messages file also only contained 
the line about the log being turned over, but today I unzipped 
messages.0 and it had entries for yesterday.  I'm going to check 
messages.0 again after midnight and see if any of today's entries are 
there.

Hindsight is always 20/20, and now I wish I had tripwire or aide 
installed.  =/

I rebooted one of the machines, and now it seems to be acting normal 
again..

I going to rebuild world on all my systems and install tripwire 
anyways, but I'm kind of curious as to whether my machines have been 
rooted or not.  I don't know if chkrootkit v0.40 is very accurate or 
even worthwhile, but it reported no problems.  I also checked for 
standard stuff like suid binaries and accounts with a uid of 0.  
Nothing looks out of place, aside from the messages file being empty 
and suddenly filling with data before newsyslog gzips it.

Any thoughts would be greatly appreciated,

Ken Ebling