Date: Mon, 18 Dec 2000 14:00:36 -0500 From: "Drew J. Weaver" <drew.weaver@thenap.com> To: "'Zaitsau, Andrei'" <AZaitsau@panasonicfa.com>, net@freebsd.org Subject: RE: Hacked computer Message-ID: <B1A7D9973EBED3119ADD009027DC8649180930@mailman.thenap.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C06924.D2AC5F68 Content-Type: text/plain; charset="iso-8859-1" I would do a find / -name g g is a well known rootkit, im not sure if it works with freebsd but I am sure it can be modified, that is what most of the script kiddies are using these days, it changes a bunch of things like ps, and last and who... If you find a directory called 'g' unless its terminfo/g you may want to search on google or somewhere and see if you can locate a list of the files that are modified by this rootkit. Most of the time hax0r-kiddies login through services that are left open, I.E. PostGres has a default account that they can get in through.. Take a look. Thanks, -Drew -----Original Message----- From: Zaitsau, Andrei [mailto:AZaitsau@panasonicfa.com] Sent: Monday, December 18, 2000 1:47 PM To: net@freebsd.org Subject: Hacked computer Hello everyone, I have a problem, in the morning someone hacked into my computer at home. It is ADSL Gateway running FreeBSD 3.4 , root password is changed by hacker. Can anyone tell where on the system I can find some tracks of a hacker? What should I check first? Which log files? Anyone? Please? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message ------_=_NextPart_001_01C06924.D2AC5F68 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Hacked computer</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I would do a find / -name g</FONT> </P> <P><FONT SIZE=3D2>g is a well known rootkit, im not sure if it works = with freebsd but I am sure it can be modified, that is what most of the = script kiddies are using these days, it changes a bunch of things like = ps, and last and who... If you find a directory called 'g' unless its = terminfo/g you may want to search on google or somewhere and see if you = can locate a list of the files that are modified by this = rootkit.</FONT></P> <P><FONT SIZE=3D2>Most of the time hax0r-kiddies login through services = that are left open, I.E. PostGres has a default account that they can = get in through.. Take a look.</FONT></P> <P><FONT SIZE=3D2>Thanks,</FONT> </P> <P><FONT SIZE=3D2>-Drew</FONT> </P> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Zaitsau, Andrei [<A = HREF=3D"mailto:AZaitsau@panasonicfa.com">mailto:AZaitsau@panasonicfa.com= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, December 18, 2000 1:47 PM</FONT> <BR><FONT SIZE=3D2>To: net@freebsd.org</FONT> <BR><FONT SIZE=3D2>Subject: Hacked computer</FONT> </P> <BR> <P><FONT SIZE=3D2>Hello everyone,</FONT> <BR><FONT SIZE=3D2>I have a problem, in the morning someone hacked into = my computer at home. It</FONT> <BR><FONT SIZE=3D2>is ADSL Gateway running FreeBSD 3.4 , root password = is changed by hacker. </FONT> <BR><FONT SIZE=3D2>Can anyone tell where on the system I can find some = tracks of a hacker?</FONT> <BR><FONT SIZE=3D2>What should I check first?</FONT> <BR><FONT SIZE=3D2>Which log files?</FONT> <BR><FONT SIZE=3D2>Anyone? Please?</FONT> <BR><FONT SIZE=3D2>Thanks.</FONT> </P> <BR> <P><FONT SIZE=3D2>To Unsubscribe: send mail to = majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=3D2>with "unsubscribe freebsd-net" in the body = of the message</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C06924.D2AC5F68-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B1A7D9973EBED3119ADD009027DC8649180930>