Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 Dec 2000 10:07:45 -0500
From:      Bill Vermillion <bill@bilver.wjv.com>
To:        freebsd-net@freebsd.org
Subject:   Re: Hacked computer
Message-ID:  <20001219100745.B21801@wjv.com>
In-Reply-To: <Pine.LNX.4.21.0012190316450.10640-100000@jason.argos.org>; from mike@argos.org on Tue, Dec 19, 2000 at 03:24:15AM -0500
References:  <3A3E5C33.793B5684@ocsinternet.com> <Pine.LNX.4.21.0012190316450.10640-100000@jason.argos.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 19, 2000 at 03:24:15AM -0500, Mike Nowlin thus spoke:

> > If you've been rooted, then the logs are probably no good. But
> > check you wtmp for logons, and messages, and well if you don't
> > see anything unusual there then the've prabaly been wiped. Have
> > regained root yet?  ...

...

> Due to the fact that "rm" really doesn't erase anything, the
> contents were still there - doing a "strings" on the raw partition
> will retrieve a lot.

> With a bit of patience, it's amazing what will show up -- usually,
> the former contents of /var/log/* will show up as large chunks
> that are easily read... Turns out I found this guy's IP address
> and the time the system was blasted - a call to MCI resulted in a
> small amount of satisfaction...

It's amazing what TCT - The Coroners Toolkit - will display.  
'lazurus' causes files to rise from the dead.  Used ahead of
time you can run MD5 on the entire system so you can check
everything if you beleive you've been broken into.

Dan Farmer and Wietse Venema wrote it. 

Bill
-- 
Bill Vermillion -   bv @ wjv . com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001219100745.B21801>