Date: Tue, 19 Dec 2000 10:22:23 -0500 From: Bill Vermillion <bill@bilver.wjv.com> To: freebsd-net@freebsd.org Subject: Re: Hacked computer Message-ID: <20001219102223.C21801@wjv.com> In-Reply-To: <20001219100745.B21801@wjv.com>; from bill@bilver.wjv.com on Tue, Dec 19, 2000 at 10:07:45AM -0500 References: <3A3E5C33.793B5684@ocsinternet.com> <Pine.LNX.4.21.0012190316450.10640-100000@jason.argos.org> <20001219100745.B21801@wjv.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 19, 2000 at 10:07:45AM -0500, Bill Vermillion thus spoke: > On Tue, Dec 19, 2000 at 03:24:15AM -0500, Mike Nowlin thus spoke: Damn - been one of those days. I looked at the sources to get Wietse's name spelled right, and copied out the source address but negelected to include that. Bad form to follow up your own message - the relevant part is below for reference. Here are the addresses for the source: http://www.fish.com/forensics/ http://www.porcupine.org/forensics/ > > With a bit of patience, it's amazing what will show up -- usually, > > the former contents of /var/log/* will show up as large chunks > > that are easily read... Turns out I found this guy's IP address > > and the time the system was blasted - a call to MCI resulted in a > > small amount of satisfaction... > > It's amazing what TCT - The Coroners Toolkit - will display. > 'lazurus' causes files to rise from the dead. Used ahead of > time you can run MD5 on the entire system so you can check > everything if you beleive you've been broken into. > > Dan Farmer and Wietse Venema wrote it. > > Bill > -- > Bill Vermillion - bv @ wjv . com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001219102223.C21801>