From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 14:08:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C77116A4CE for ; Sat, 12 Jun 2004 14:08:09 +0000 (GMT) Received: from smtp810.mail.sc5.yahoo.com (smtp810.mail.sc5.yahoo.com [66.163.170.80]) by mx1.FreeBSD.org (Postfix) with SMTP id BE83C43D55 for ; Sat, 12 Jun 2004 14:08:09 +0000 (GMT) (envelope-from fscked@pacbell.net) Received: from unknown (HELO pacbell.net) (fscked@pacbell.net@67.124.120.100 with plain) by smtp810.mail.sc5.yahoo.com with SMTP; 12 Jun 2004 14:07:05 -0000 Message-ID: <40CB0D86.9080905@pacbell.net> Date: Sat, 12 Jun 2004 07:04:54 -0700 From: richard childers / kg6hac Organization: Daemonized Networking Services - http://www.daemonized.com User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20040612120107.1D3F116A4E6@hub.freebsd.org> In-Reply-To: <20040612120107.1D3F116A4E6@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: How do I tell I was hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fscked@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 14:08:10 -0000 > > >Date: Sat, 12 Jun 2004 13:15:33 +0200 >From: "Peter Rosa" >Subject: Hacked or not ? >To: "FreeBSD Security" >Message-ID: <016301c4506e$947644e0$3501a8c0@pro.sk> > >Hi all, > >please advice me - I was on holidays for one week. After return I found in >security mails from router (chkrootkit) following message: >Checking `lkm'... You have 1 process hidden for readdir command >You have 1 process hidden for ps command >Warning: Possible LKM Trojan installed > >It apeared only onece. From previous and next days reports, the message is >not present. > >How could I be sure, the machine is not hacked ? > > [1] Make backups. tar(1), dump(8), doesn't matter. [2] Reinstall identical operating system on new equipment. [3] Restore backups into large partition sized for this operation (call it '/backups'). [4] Compare the contents of each directory in /backups recursively against a known good copy, For example, to compare /usr against the backed-up image, do this: # diff -r /usr /backups/usr [5] Review the list for files which differ or which do not exist on the known good copy. [6] Exclude files for which there are good reasons for difference (IE, logs and state files). [7] Analyze the resulting files; pay particular attention to executables, but also libraries. You may also find it useful to reload the old operating system onto a box on an insulated network and monitor the operating system, its processes and its network traffic, using known good tools. Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.4 (FreeBSD) mQGiBECGpfsRBACoPJJfIIrWAqjlW92TtYCtY//e7OW8alWylr/1ygtSQzjCCdvC Ysa0fCcx01UenlWV+5YY/zC7KPsX2rQUKAs20fqs9et74dmgMGOj0vMjTzWEs29G FyAsIRSpFioa8zzrjXEUVnU6OFaD9a9eaC+LSTCiKgXjbQySDKM5T1c+vwCg8W3Y RZ83LRIUULGMPlY6zS4fQwUEAIIiTHDdWpbE+HeREJwH+4eDpGVf76XtNlOMXrt9 tJ3ExL+9ezLulg1nCrOYodOB7TEZqzV40R7emDZSX0hI9QEBCv6nW5aDVpw/bf+q UEHwxrUvE2LBi35hoqR2QwqNlagOauSorWj8Qm/31luxJVeLVy1A1czp6B/mvG1T co03A/9a5kzEAebJ5TzWXQC2/4gu/osXQnrw9B9FFpYOtLc0MNQuAFt8VLn5yO5Q 8T58w+FQvFI5FqzI5URmjQeEyWWuyIechknk4RnwIO1UPVjgRTuNgf9/TvNNfqpa aVlbNp+AG21D6VqsFN2zJFFJeUqiYdXw6i+ESL3SZRymIhwYWrQ8UmljaGFyZCBB IENoaWxkZXJzICh3d3cuZGFlbW9uaXplZC5jb20pIDxmc2NrZWRAcGFjYmVsbC5u ZXQ+iF4EExECAB4FAkCGpfsCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQjGqW TlNTP66KzQCgjf0SQbiK1rgu7hRsmLPSSaGF7X8AoL7Qw/E9kTZr0fntP0XXEnk/ q6nRuQINBECGpvkQCADFzFq+kYbk+KTIhcVBTjTWDbBnjGgmuGR3LGp9hOd6W9SJ i4GD5184ZnMbEgvDZcDEGDNgMcU+f1girwYI2v/o7QA7VQ5bpUbnfOBytzO+bvd7 uCOyJltg8AG5MFLxfhAMHofpNxGlFTEXdVp4M9xyBB+hdLHbJNJqkMGPf+iCUf1W Q86KncU2AK4Sf9I+WYBZwkjaIhi9dQzeEX1c0Um6LxXSBtkjZprIk1M13gVaIJ6E dDN6hrSMbXZL+7yURw38vHXCtRJAKEOyW178rI8MzJzvVNhobvC62uEWD9Idz8sH 5A06fqb2fKJYLQ1keGUpb/qpny7oTmAe0Hx9jOM7AAMGCACdTe1M4U++/7/OVGip 1gnWEtMhHeQQbS7KPh1w8/1kvs5Mml6uGYQI44lKTDP7OHJQ9hIT/+5tfKPHIPhU M/7Mqa8y81c/AK+WUOyY9+uZ0zUxFGMqeU9z5iqJFWSi9QR/f5q/khfmqi5RFVyQ nnVhxBMB8pY1vZHV1CoL7NLK4c/N8mpwCiZ57LTsP8pLfDMWF/OopmM2ulzlfWTr anAdxQohenq/zTgSySX/VGZYSYvyAoXTRuU4USAVGWcUQPnVooA1N7lZP3pawjNP QMSukx9jI1673BPsPXxyQZ1PmmPt9eHKI0G0hNJG+FCmSRLNT/R7hqTzTUmpgMWM yyWPiEkEGBECAAkFAkCGpvkCGwwACgkQjGqWTlNTP642KACeITHq0b42P3oMX7Nj F5U3EaqCgYoAn3HxUB7ELB6vMUugW4aSmZpBJOR6 =ZaJO -----END PGP PUBLIC KEY BLOCK-----