Date: Mon, 18 Dec 2000 22:32:20 -0500 (EST) From: Jim Durham <durham@w2xo.pgh.pa.us> To: "Gerald T. Freymann" <freymann@eagle.ca> Cc: Jonathan Fosburgh <syjef@mail.mdanderson.org>, Questions <questions@FreeBSD.ORG> Subject: RE: Hacker history file - OUCH Message-ID: <Pine.BSF.4.21.0012182223400.80236-100000@shazam.int> In-Reply-To: <NEBBIPHLEDGOAFACJGDDIECGDHAA.freymann@eagle.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 18 Dec 2000, Gerald T. Freymann wrote: > |O|> Do you know for sure it was an intruder? > > Had to be. All of this was done under the name of our backup software > (amanda) > > |O|> The results of the su ought to be in /var/log/messages. > |O|> Especially the one to toor. You should either see a success or failure > message. > > Duh! Forgot about that. It only logs successful su's and there are none > from anybody but staff since Nov 30th. > Ah, but this guy (or gal) was root! root can change the /var/log/messages file, so don't believe anything you see on a machine that has been compromised that way. One could always do a new installation of the basic binaries on an old 486 or whatever and then NFS mount / and /usr and compare them against your bin, sbin, etc. Use the tools on the new machine, of course to do the compare! -Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0012182223400.80236-100000>