Date: Sun, 11 May 2003 13:19:46 -0700 (PDT) From: =?ISO-8859-1?Q?Mikko_Ty=F6l=E4j=E4rvi?= <mbsd@pacbell.net> To: Blaine Kahle <goatee@binary.net> Cc: freebsd-security@freebsd.org Subject: Re: Hacked? Message-ID: <20030511131555.E37892@atlas.home> In-Reply-To: <20030511180321.GB37652@binary.net> References: <A695FEAC-8224-11D7-B2CA-000393C94468@sarenet.es> <4.3.2.7.2.20030509110012.03940680@localhost> <20030511180321.GB37652@binary.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 11 May 2003, Blaine Kahle wrote: > On Fri, May 09, 2003 at 11:01:21AM -0600, Brett Glass wrote: > > At 08:25 AM 5/9/2003, Bjoern A. Zeeb wrote: > > > > >this asumes that truss is ok ;-) perhaps take the truss from your > > >other 4.7 machine ... > > > > Yes, you do have to be careful of this. I recently investigated a > > machine that had been "owned," and when truss was applied to some > > commands (e.g. netstat) it produced no output. > > I'm showing that truss'ing netstat produces no output on several > versions of FreeBSD that I have installed. Is this correct behavior? The > truss and netstat binaries both check out when compared to the listings > at http://www.knowngoods.org/ You can't trace setuid/setgid programs. Netstat is setgid kmem. If you really need to truss it, make a copy and run it as a user with the requisite privileges (or root). $.02, /Mikko
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030511131555.E37892>