From owner-freebsd-security@FreeBSD.ORG  Sat Jun 12 13:07:05 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4A82B16A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 12 Jun 2004 13:07:05 +0000 (GMT)
Received: from smtp.mi.is (smtp.mi.is [217.151.180.17])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C6A5D43D1F
	for <freebsd-security@freebsd.org>;
	Sat, 12 Jun 2004 13:07:04 +0000 (GMT)	(envelope-from thib@mi.is)
Received: from caulfield (bofh.bitcode.org [217.151.165.254])
	by smtp.mi.is (8.12.10/8.12.10/1.0.1) with SMTP id i5CD2p27019707
	for <freebsd-security@freebsd.org>; Sat, 12 Jun 2004 13:02:51 GMT
Date: Sat, 12 Jun 2004 13:03:07 +0000
From: Thordur Ivar <thib@mi.is>
To: freebsd-security@freebsd.org
Message-Id: <20040612130307.2c4483cb.thib@mi.is>
In-Reply-To: <019101c45072$a8b9cfe0$3501a8c0@pro.sk>
References: <019101c45072$a8b9cfe0$3501a8c0@pro.sk>
Organization: n/a
X-Mailer: Sylpheed version 0.9.10 (GTK+ 1.2.10; i386-portbld-freebsd5.2)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: Hacked or not appendice
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2004 13:07:05 -0000

I have on a CD a number of binarys ( sources actually ) ( e.g. ls, find, grep, awk, sed, locate e.t.c. ) and when I belive that a machine has been cracked I remove the network cable from that machine and mount the cdrom build the sources and start looking. If I need something in that process I put it on my USB memstick from a 'trusted machine' and move it by hand over. 

Roughly speaking this is my process.

>On Sat, 12 Jun 2004 13:44:45 +0200
>"Peter Rosa" <prosa@pro.sk> wrote:

> Hi all again,
> 
> I must add, there are no log entries after June 9, 2004. "LKM" message first
> apeared June 8, 2004, after this day, there is nothing in /var/messages,
> /var/security .....
> 
> How could I look for suspicious LKM module ? How could I find it, if the
> machine is hacked and I can not believe "ls", "find" etc. commands ?
> 
> Peter Rosa
> 
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
> 
>