From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 20:05:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA98B37B401 for ; Mon, 9 Jun 2003 20:05:08 -0700 (PDT) Received: from shell.i-sphere.com (shell.i-sphere.com [207.126.121.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6ED4A43F3F for ; Mon, 9 Jun 2003 20:05:08 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: from shell.i-sphere.com (fasty@shell.i-sphere.com [207.126.121.10]) by shell.i-sphere.com (8.12.6p2/8.12.6) with ESMTP id h5A34Dat029167; Tue, 10 Jun 2003 03:04:13 GMT (envelope-from fasty@shell.i-sphere.com) Received: (from fasty@localhost) by shell.i-sphere.com (8.12.6p2/8.12.6/Submit) id h5A34D0I029166; Tue, 10 Jun 2003 03:04:13 GMT Date: Tue, 10 Jun 2003 03:04:13 +0000 From: fasty To: Ken Ebling Message-ID: <20030610030413.GA29145@i-sphere.com> References: <5D6A2AB8-9AE3-11D7-9B57-000393CAE6EC@deevil.homeunix.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5D6A2AB8-9AE3-11D7-9B57-000393CAE6EC@deevil.homeunix.org> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-milter (http://amavis.org/) cc: freebsd-security@freebsd.org Subject: Re: Have I been hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 03:05:09 -0000 Ohh you need update your Freebsd source and rebuild. Because there have patch 10. I noticed your FreeBSD 4.7-RELEASE-p3 compare mine FreeBSD 4.7-RELEASE-p10 -fasty On Mon, Jun 09, 2003 at 09:32:14PM -0400, Ken Ebling wrote: > I'm noticing something strange on two of my machines.. They're both > 4.7-RELEASE-p3 i386 and they've both been up 150 days without any > problems... > > /var/log/messages on each system contains only: > Jun 9 12:00:01 in newsyslog[60291]: logfile turned over > > dmesg's output is truncated.. it periodically changes, but currently > it reads: > ite.net host=6532251hfc207.tampabay.rr.com [65.32.251.207] > > What's really weird, is yesterday the messages file also only contained > the line about the log being turned over, but today I unzipped > messages.0 and it had entries for yesterday. I'm going to check > messages.0 again after midnight and see if any of today's entries are > there. > > Hindsight is always 20/20, and now I wish I had tripwire or aide > installed. =/ > > I rebooted one of the machines, and now it seems to be acting normal > again.. > > I going to rebuild world on all my systems and install tripwire > anyways, but I'm kind of curious as to whether my machines have been > rooted or not. I don't know if chkrootkit v0.40 is very accurate or > even worthwhile, but it reported no problems. I also checked for > standard stuff like suid binaries and accounts with a uid of 0. > Nothing looks out of place, aside from the messages file being empty > and suddenly filling with data before newsyslog gzips it. > > Any thoughts would be greatly appreciated, > > Ken Ebling > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"