From owner-freebsd-questions  Tue Sep  1 07:00:21 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA17194
          for freebsd-questions-outgoing; Tue, 1 Sep 1998 07:00:21 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from phear.net (phear.net [206.58.96.18])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA17189
          for <freebsd-questions@freebsd.org>; Tue, 1 Sep 1998 07:00:18 -0700 (PDT)
          (envelope-from jim@phrantic.phear.net)
Received: from localhost (jim@localhost)
	by phear.net (8.9.1a/8.9.1a) with SMTP id GAA08679
	for <freebsd-questions@freebsd.org>; Tue, 1 Sep 1998 06:57:19 -0700 (PDT)
Date: Tue, 1 Sep 1998 06:57:19 -0700 (PDT)
From: Jim Mock <jim@phrantic.phear.net>
X-Sender: jim@phear.net
To: freebsd-questions@FreeBSD.ORG
Subject: questions
Message-ID: <Pine.BSF.4.02A.9809010646140.8666-100000@phear.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Ok, I might be clueless and/or a complete moron, but I've got a few
questions about restoring files to the original/upgrading to a later
version.

Here's the deal.. I'm running 2.2.5-RELEASE, and recently the box has been
hacked.  I've managed to block out the attackers using ipfw and tcp
wrappers, but after reading some stuff on CERT's site, I started checking
the files on the machine in question with another machine and found some
differences.. here they are..

**** ls ****

[jim@phear]$ ls -la /bin/ls
-r-xr-xr-x  1 bin  bin  22987 Oct 21  1997 ls

[jim@hendrix]$ ls -la /bin/ls
-r-xr-xr-x  1 bin  bin  155648 Oct 21  1997 ls

**** lpd ****

[jim@phear]$ ls -la /usr/sbin/lpd
-r-xr-xr-x  1 bin  bin  8984 Aug  9 11:47 /usr/sbin/lpd

[jim@hendrix]$ ls -la /usr/sbin/lpd
-r-xr-xr-x  1 bin  bin  53248 Oct 21  1997 /usr/sbin/lpd

**** ps ****
[jim@phear]$ ls -la /bin/ps
-r-xr-sr-x  1 bin  kmem  31587 Oct 21  1997 /bin/ps

[jim@hendrix]$ ls -la /bin/ps
-r-xr-sr-x  1 bin  kmem  167936 Oct 21  1997 /bin/ps

My question is this.. a) how do i go about replacing those files with the
originals without reinstalling, and b) I've got other machines running the
same release and I was wondering if I could copy the files from the other
box and replace the ones in question.  I'm not sure if that'd work or not,
so I figured I'd ask.

I'd just reinstall to 2.2.7, but I have the box at an isp in Portland that
I worked for, and I live in Australia now, so that's kind of a problem.
Any info would be greatly appreciated.

Thanks.

Jim

+---------------------------------------+ 
| Jim Mock | Phear.Net | KidzHaven	|
| Web Site Design & Hosting Services	|
| email - jim@phrantic.phear.net/	|
| www - http://www.phear.net/		|
| www - http://www.kidzhaven.com/	|
+---------------------------------------+


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message