From owner-freebsd-net Mon Dec 18 10:50:34 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 10:50:27 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mailman.thenap.com (mailman.thenap.com [209.190.0.10]) by hub.freebsd.org (Postfix) with ESMTP id F1A1C37B6A0 for ; Mon, 18 Dec 2000 10:50:11 -0800 (PST) Received: by mailman.thenap.com with Internet Mail Service (5.5.2650.21) id ; Mon, 18 Dec 2000 14:00:44 -0500 Message-ID: From: "Drew J. Weaver" To: "'Zaitsau, Andrei'" , net@freebsd.org Subject: RE: Hacked computer Date: Mon, 18 Dec 2000 14:00:36 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C06924.D2AC5F68" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C06924.D2AC5F68 Content-Type: text/plain; charset="iso-8859-1" I would do a find / -name g g is a well known rootkit, im not sure if it works with freebsd but I am sure it can be modified, that is what most of the script kiddies are using these days, it changes a bunch of things like ps, and last and who... If you find a directory called 'g' unless its terminfo/g you may want to search on google or somewhere and see if you can locate a list of the files that are modified by this rootkit. Most of the time hax0r-kiddies login through services that are left open, I.E. PostGres has a default account that they can get in through.. Take a look. Thanks, -Drew -----Original Message----- From: Zaitsau, Andrei [mailto:AZaitsau@panasonicfa.com] Sent: Monday, December 18, 2000 1:47 PM To: net@freebsd.org Subject: Hacked computer Hello everyone, I have a problem, in the morning someone hacked into my computer at home. It is ADSL Gateway running FreeBSD 3.4 , root password is changed by hacker. Can anyone tell where on the system I can find some tracks of a hacker? What should I check first? Which log files? Anyone? Please? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message ------_=_NextPart_001_01C06924.D2AC5F68 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: Hacked computer

I would do a find / -name g

g is a well known rootkit, im not sure if it works = with freebsd but I am sure it can be modified, that is what most of the = script kiddies are using these days, it changes a bunch of things like = ps, and last and who... If you find a directory called 'g' unless its = terminfo/g you may want to search on google or somewhere and see if you = can locate a list of the files that are modified by this = rootkit.

Most of the time hax0r-kiddies login through services = that are left open, I.E. PostGres has a default account that they can = get in through.. Take a look.

Thanks,

-Drew


-----Original Message-----
From: Zaitsau, Andrei [mailto:AZaitsau@panasonicfa.com= ]
Sent: Monday, December 18, 2000 1:47 PM
To: net@freebsd.org
Subject: Hacked computer


Hello everyone,
I have a problem, in the morning someone hacked into = my computer at home. It
is ADSL Gateway running FreeBSD 3.4 , root password = is changed by hacker.
Can anyone tell where on the system I can find some = tracks of a hacker?
What should I check first?
Which log files?
Anyone? Please?
Thanks.


To Unsubscribe: send mail to = majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body = of the message

------_=_NextPart_001_01C06924.D2AC5F68-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message