From owner-freebsd-security@FreeBSD.ORG Fri May 2 13:12:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5E5137B401 for ; Fri, 2 May 2003 13:12:02 -0700 (PDT) Received: from smtp-27.ig.com.br (smtp-27.ig.com.br [200.226.132.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 79AD243FBF for ; Fri, 2 May 2003 13:12:01 -0700 (PDT) (envelope-from none@superig.com.br) Received: (qmail 1819 invoked from network); 2 May 2003 20:12:09 -0000 Received: from unknown (HELO superig.com.br) (200.179.208.42) by smtp-27.ig.com.br with SMTP; 2 May 2003 20:12:09 -0000 Message-ID: <3EB2D182.8010209@superig.com.br> Date: Fri, 02 May 2003 17:13:54 -0300 From: Tony Meman User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1 X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Did i get hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 20:12:02 -0000 Hi Mario, well any strange activity in the system should be taken in consideration so I really think you should audit your system. You said the reboot ocurred at 0:32am, its a good idea to search for files modified around that time. You could use the binary of some trustable system just in case /usr/bin/find got trojaned. You said you did not find anything in the logs, they could have been erased, use chkrootkit to verify if there are wtmp/lastlog entries that may have been erased. Chkrootkit is a pretty nice utility and will be able to tell you if there're hidden processes running on the system (comparing output from ps with /proc entries) and search for well-known rootkits. The tool is not perfect but helps a lot, check it out: http://www.chkrootkit.org Good luck, -- Marcello Azambuja mario wrote: > hello, > i have a FreeBSD 4.8-PRERELEASE #0 that i use as a gateway / nat box for > my home. > It also acts as a dns / mail server to the outside world. > I'm using ipf and basically filter for bogus networks on the way in and out. > I allow everything out keeping state, > and allow this in: > pass in proto icmp from any to any icmp-type squench group 200 > pass in proto icmp from any to any icmp-type timex group 200 > pass in proto icmp from any to any icmp-type paramprob group 200 > pass in quick proto tcp from any port > 1023 to any port = smtp group 200 > pass in quick proto udp from any port > 1023 to any port = domain group 200 > > on these ports i run qmail and tinydns > > i was a bit sloppy by leaving these w/out a password > figuring they can't login anyway. > > gtinydns::nnnn:nnnn::0:0:tinydns:/nonexistent:/sbin/nologin > gdnslog::nnnn:nnnn::0:0:dns logger:/nonexistent:/sbin/nologin > gaxfrdns::nnnn:nnnn::0:0:zone transfer:/nonexistent:/sbin/nologin > > I've changed this now though i'm still not sure about the implications of > this. > Also i'm not running tripwire or any other intrusion detection. > > Here's my problem. When i got up this morning, i noticed that the box > rebooted > at 0:32 this morning. I have 3 other computers that did not reboot leaving me > to believe there was no power failure. I looked through all the logs seeking > clues as to what happened. Hardware failure? It is an old p-75 and the hard > drive has had issues in udma-2 but has been doing fine for months in pio4 > mode. > I also have a cron job at 0:30 to move the apache logs to a tmp file restart > apache sleep 5 minutes and then move the tmp file somewhere where newsyslog > can catch it. According to the logs, apache restarted fine but the tmp files > never made it anywhere. Again nothing useful in them either. > > So if this was a hardware failure (harddrive), then any kernel panic > statements probably would not make it to the harddrive. So it would be > hard to tell. My question is, what if i got hacked? Would there be anyway > to find out despite me being totally unprepared for this? > > That question really messes with my head. > Any pointer and/or clue stick treatments would be greatly appreciated. > > thanx > > mario;> >