Date: Mon, 18 Dec 2000 14:00:36 -0500 From: "Drew J. Weaver" <drew.weaver@thenap.com> To: "'Zaitsau, Andrei'" <AZaitsau@panasonicfa.com>, net@freebsd.org Subject: RE: Hacked computer Message-ID: <B1A7D9973EBED3119ADD009027DC8649180930@mailman.thenap.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I would do a find / -name g g is a well known rootkit, im not sure if it works with freebsd but I am sure it can be modified, that is what most of the script kiddies are using these days, it changes a bunch of things like ps, and last and who... If you find a directory called 'g' unless its terminfo/g you may want to search on google or somewhere and see if you can locate a list of the files that are modified by this rootkit. Most of the time hax0r-kiddies login through services that are left open, I.E. PostGres has a default account that they can get in through.. Take a look. Thanks, -Drew -----Original Message----- From: Zaitsau, Andrei [mailto:AZaitsau@panasonicfa.com] Sent: Monday, December 18, 2000 1:47 PM To: net@freebsd.org Subject: Hacked computer Hello everyone, I have a problem, in the morning someone hacked into my computer at home. It is ADSL Gateway running FreeBSD 3.4 , root password is changed by hacker. Can anyone tell where on the system I can find some tracks of a hacker? What should I check first? Which log files? Anyone? Please? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2650.12"> <TITLE>RE: Hacked computer</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>I would do a find / -name g</FONT> </P> <P><FONT SIZE=2>g is a well known rootkit, im not sure if it works with freebsd but I am sure it can be modified, that is what most of the script kiddies are using these days, it changes a bunch of things like ps, and last and who... If you find a directory called 'g' unless its terminfo/g you may want to search on google or somewhere and see if you can locate a list of the files that are modified by this rootkit.</FONT></P> <P><FONT SIZE=2>Most of the time hax0r-kiddies login through services that are left open, I.E. PostGres has a default account that they can get in through.. Take a look.</FONT></P> <P><FONT SIZE=2>Thanks,</FONT> </P> <P><FONT SIZE=2>-Drew</FONT> </P> <BR> <P><FONT SIZE=2>-----Original Message-----</FONT> <BR><FONT SIZE=2>From: Zaitsau, Andrei [<A HREF="mailto:AZaitsau@panasonicfa.com">mailto:AZaitsau@panasonicfa.com</A>]</FONT> <BR><FONT SIZE=2>Sent: Monday, December 18, 2000 1:47 PM</FONT> <BR><FONT SIZE=2>To: net@freebsd.org</FONT> <BR><FONT SIZE=2>Subject: Hacked computer</FONT> </P> <BR> <P><FONT SIZE=2>Hello everyone,</FONT> <BR><FONT SIZE=2>I have a problem, in the morning someone hacked into my computer at home. It</FONT> <BR><FONT SIZE=2>is ADSL Gateway running FreeBSD 3.4 , root password is changed by hacker. </FONT> <BR><FONT SIZE=2>Can anyone tell where on the system I can find some tracks of a hacker?</FONT> <BR><FONT SIZE=2>What should I check first?</FONT> <BR><FONT SIZE=2>Which log files?</FONT> <BR><FONT SIZE=2>Anyone? Please?</FONT> <BR><FONT SIZE=2>Thanks.</FONT> </P> <BR> <P><FONT SIZE=2>To Unsubscribe: send mail to majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=2>with "unsubscribe freebsd-net" in the body of the message</FONT> </P> </BODY> </HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B1A7D9973EBED3119ADD009027DC8649180930>