Date: Tue, 10 Jun 2003 03:04:13 +0000 From: fasty <fasty@i-sphere.com> To: Ken Ebling <deevil@deevil.homeunix.org> Cc: freebsd-security@freebsd.org Subject: Re: Have I been hacked? Message-ID: <20030610030413.GA29145@i-sphere.com> In-Reply-To: <5D6A2AB8-9AE3-11D7-9B57-000393CAE6EC@deevil.homeunix.org> References: <5D6A2AB8-9AE3-11D7-9B57-000393CAE6EC@deevil.homeunix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Ohh you need update your Freebsd source and rebuild. Because there have patch 10. I noticed your FreeBSD 4.7-RELEASE-p3 compare mine FreeBSD 4.7-RELEASE-p10 -fasty On Mon, Jun 09, 2003 at 09:32:14PM -0400, Ken Ebling wrote: > I'm noticing something strange on two of my machines.. They're both > 4.7-RELEASE-p3 i386 and they've both been up 150 days without any > problems... > > /var/log/messages on each system contains only: > Jun 9 12:00:01 in newsyslog[60291]: logfile turned over > > dmesg's output is truncated.. it periodically changes, but currently > it reads: > ite.net host=6532251hfc207.tampabay.rr.com [65.32.251.207] > > What's really weird, is yesterday the messages file also only contained > the line about the log being turned over, but today I unzipped > messages.0 and it had entries for yesterday. I'm going to check > messages.0 again after midnight and see if any of today's entries are > there. > > Hindsight is always 20/20, and now I wish I had tripwire or aide > installed. =/ > > I rebooted one of the machines, and now it seems to be acting normal > again.. > > I going to rebuild world on all my systems and install tripwire > anyways, but I'm kind of curious as to whether my machines have been > rooted or not. I don't know if chkrootkit v0.40 is very accurate or > even worthwhile, but it reported no problems. I also checked for > standard stuff like suid binaries and accounts with a uid of 0. > Nothing looks out of place, aside from the messages file being empty > and suddenly filling with data before newsyslog gzips it. > > Any thoughts would be greatly appreciated, > > Ken Ebling > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030610030413.GA29145>