From owner-freebsd-security@FreeBSD.ORG  Sat Jun 12 13:52:14 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8706816A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 12 Jun 2004 13:52:14 +0000 (GMT)
Received: from techno.sub.ru (webmail.sub.ru [213.247.139.22])
	by mx1.FreeBSD.org (Postfix) with SMTP id 884BA43D5A
	for <freebsd-security@freebsd.org>;
	Sat, 12 Jun 2004 13:52:13 +0000 (GMT)
	(envelope-from tarkhil@webmail.sub.ru)
Received: (qmail 48883 invoked by uid 0); 12 Jun 2004 13:50:35 -0000
Received: from webmail.sub.ru (HELO tarkhil.over.ru) (213.247.139.22)
  by techno.sub.ru with SMTP; 12 Jun 2004 13:50:35 -0000
Date: Sat, 12 Jun 2004 17:50:35 +0400
From: Alex Povolotsky <tarkhil@webmail.sub.ru>
To: freebsd-security@freebsd.org
Message-Id: <20040612175035.739bbfa4@tarkhil.over.ru>
In-Reply-To: <01b701c4507a$49399840$3501a8c0@pro.sk>
References: <016301c4506e$947644e0$3501a8c0@pro.sk>
	<20040612114700.GA1082@lupe-christoph.de>
	<01b701c4507a$49399840$3501a8c0@pro.sk>
Organization: sub.ru
X-Mailer: Sylpheed version 0.9.9claws (GTK+ 1.2.10; i386-portbld-freebsd4.8)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: Hacked or not ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2004 13:52:14 -0000

On Sat, 12 Jun 2004 14:39:21 +0200
"Peter Rosa" <prosa@pro.sk> wrote:

PR> But what about the /var/log/messages logs absence ?
PR> And, how to test the machine, if it is healthy ?

Boot from CD and compare md5 checksums on system files. That's the first step.

Compare your kernel sources with clean ones, rebuild kernel and compare it with the running one. If you're running GENERIC, compare it with the distributed one.

Compare /modules directory with distribution one.

Check your (and system) .profile or .login etc.

After this step, you should have reasonably clean system.

-- 
Alex.