Date: Sat, 12 Jun 2004 16:07:06 +0200 From: lupe@lupe-christoph.de (Lupe Christoph) To: Peter Rosa <prosa@pro.sk> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: Hacked or not appendice Message-ID: <20040612140706.GB1082@lupe-christoph.de> In-Reply-To: <019101c45072$a8b9cfe0$3501a8c0@pro.sk> References: <019101c45072$a8b9cfe0$3501a8c0@pro.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday, 2004-06-12 at 13:44:45 +0200, Peter Rosa wrote: > I must add, there are no log entries after June 9, 2004. "LKM" message first > apeared June 8, 2004, after this day, there is nothing in /var/messages, > /var/security ..... Check if your syslog deamon is running. Also try to log something from the command line with logger. > How could I look for suspicious LKM module ? How could I find it, if the > machine is hacked and I can not believe "ls", "find" etc. commands ? Dunno. I've turned off modules on all my FreeBSD machines. IIRC, the way to check binaries is to "make buildworld", install somewhere else and compare. Of course, you should not build on a suspect machine. Have you turned on securelevel? HTH, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040612140706.GB1082>