From owner-freebsd-security@FreeBSD.ORG  Sun Jun 13 16:42:24 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7817B16A4CE
	for <freebsd-security@freebsd.org>;
	Sun, 13 Jun 2004 16:42:24 +0000 (GMT)
Received: from lakshmi.kiev.ua (sita-home-gw.Kyiv.wnet.ua [217.20.169.217])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B247843D31
	for <freebsd-security@freebsd.org>;
	Sun, 13 Jun 2004 16:42:23 +0000 (GMT)
	(envelope-from ay@lakshmi.kiev.ua)
Received: from lakshmi.kiev.ua (localhost.sita.kiev.ua [127.0.0.1])
	i5DGfxdj024457;	Sun, 13 Jun 2004 19:42:00 +0300 (EEST)
	(envelope-from ay@lakshmi.kiev.ua)
Received: (from ay@localhost)
	by lakshmi.kiev.ua (8.12.11/8.12.9/Submit) id i5DGfxgS024456;
	Sun, 13 Jun 2004 19:41:59 +0300 (EEST)
	(envelope-from ay)
Date: Sun, 13 Jun 2004 19:41:59 +0300
From: Alexander Yeremenko <ay@wnet.ua>
To: Ondra Holecek <bln@bln.no-ip.org>
Message-ID: <20040613164159.GA24448@lakshmi.kiev.ua>
Mail-Followup-To: Alexander Yeremenko <ay@wnet.ua>,
	Ondra Holecek <bln@bln.no-ip.org>, freebsd-security@freebsd.org
References: <016301c4506e$947644e0$3501a8c0@pro.sk>
	<20040612175035.739bbfa4@tarkhil.over.ru>
	<20040613161714.GA24325@lakshmi.kiev.ua> <200406131819.43297.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200406131819.43297.>
User-Agent: Mutt/1.4.1i
cc: freebsd-security@freebsd.org
Subject: Re: Hacked or not ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: ay@wnet.ua
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jun 2004 16:42:24 -0000

On Sun, Jun 13, 2004 at 06:20:11PM +0000, Ondra Holecek wrote:
> On Sunday 13 June 2004 16:17, Alexander Yeremenko wrote:
> > On Sat, Jun 12, 2004 at 05:50:35PM +0400, Alex Povolotsky wrote:
> > > On Sat, 12 Jun 2004 14:39:21 +0200
> > > "Peter Rosa" <prosa@pro.sk> wrote:
> > >
> > > PR> But what about the /var/log/messages logs absence ?
> > > PR> And, how to test the machine, if it is healthy ?
> > >
> > > Boot from CD and compare md5 checksums on system files. That's the first
> > > step.
> >
> > 	I'm running a frequent script, evaluating md5 for binaries, libs
> > etc, and reports isn't something changed
> 
> But, what if hacker modifies this script to not report changes, or change the 
> original MD5 checksum
	This smart hacker must know about this script :)
-- 
AY7-UANIC  ||  AY15-RIPE