Date: Fri, 02 May 2003 17:13:54 -0300 From: Tony Meman <none@superig.com.br> To: freebsd-security@freebsd.org Subject: Re: Did i get hacked? Message-ID: <3EB2D182.8010209@superig.com.br>
next in thread | raw e-mail | index | archive | help
Hi Mario, well any strange activity in the system should be taken in consideration so I really think you should audit your system. You said the reboot ocurred at 0:32am, its a good idea to search for files modified around that time. You could use the binary of some trustable system just in case /usr/bin/find got trojaned. You said you did not find anything in the logs, they could have been erased, use chkrootkit to verify if there are wtmp/lastlog entries that may have been erased. Chkrootkit is a pretty nice utility and will be able to tell you if there're hidden processes running on the system (comparing output from ps with /proc entries) and search for well-known rootkits. The tool is not perfect but helps a lot, check it out: http://www.chkrootkit.org Good luck, -- Marcello Azambuja mario wrote: > hello, > i have a FreeBSD 4.8-PRERELEASE #0 that i use as a gateway / nat box for > my home. > It also acts as a dns / mail server to the outside world. > I'm using ipf and basically filter for bogus networks on the way in and out. > I allow everything out keeping state, > and allow this in: > pass in proto icmp from any to any icmp-type squench group 200 > pass in proto icmp from any to any icmp-type timex group 200 > pass in proto icmp from any to any icmp-type paramprob group 200 > pass in quick proto tcp from any port > 1023 to any port = smtp group 200 > pass in quick proto udp from any port > 1023 to any port = domain group 200 > > on these ports i run qmail and tinydns > > i was a bit sloppy by leaving these w/out a password > figuring they can't login anyway. > > gtinydns::nnnn:nnnn::0:0:tinydns:/nonexistent:/sbin/nologin > gdnslog::nnnn:nnnn::0:0:dns logger:/nonexistent:/sbin/nologin > gaxfrdns::nnnn:nnnn::0:0:zone transfer:/nonexistent:/sbin/nologin > > I've changed this now though i'm still not sure about the implications of > this. > Also i'm not running tripwire or any other intrusion detection. > > Here's my problem. When i got up this morning, i noticed that the box > rebooted > at 0:32 this morning. I have 3 other computers that did not reboot leaving me > to believe there was no power failure. I looked through all the logs seeking > clues as to what happened. Hardware failure? It is an old p-75 and the hard > drive has had issues in udma-2 but has been doing fine for months in pio4 > mode. > I also have a cron job at 0:30 to move the apache logs to a tmp file restart > apache sleep 5 minutes and then move the tmp file somewhere where newsyslog > can catch it. According to the logs, apache restarted fine but the tmp files > never made it anywhere. Again nothing useful in them either. > > So if this was a hardware failure (harddrive), then any kernel panic > statements probably would not make it to the harddrive. So it would be > hard to tell. My question is, what if i got hacked? Would there be anyway > to find out despite me being totally unprepared for this? > > That question really messes with my head. > Any pointer and/or clue stick treatments would be greatly appreciated. > > thanx > > mario;> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EB2D182.8010209>