Date: Thu, 18 Oct 2001 15:42:18 +0200 (CEST) From: Konrad Heuer <kheuer@gwdu60.gwdg.de> To: Tomek <tomek@mpionline.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: I got hacked, I think Message-ID: <20011018153844.X37678-100000@gwdu60.gwdg.de> In-Reply-To: <20011018152518.G37610-100000@gwdu60.gwdg.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 18 Oct 2001, Konrad Heuer wrote: > On Thu, 18 Oct 2001, Tomek wrote: > > > Hope I dont sound like a fool posting 2 seperate problems in the same > > day. But while looking for the first problem I found many unusual > > things. I will try to keep it to the point to not waste anyone's time. = I > > appreciate ANY help. > > > > =3D=3D=3DWHAT I FOUND (quick snips)=3D=3D=3D > > > > (...) > > > > Is it normal for /var/log/security to be empty? > > Yes, it may usually be empty. > > > Is it normal to have lots of entries in setuid.today (ie: is it caused > > by general server activity)? > > No; in normal operation, the files /var/log/setuid.today and > /var/log/setuid.today should not differ very much; the system > administrator should usually know when entries may change. > > > Any suggestions of what logs/places I should check next to find out WHA= T > > has been done to my system and what it was used for? (ie: a connection > > log to see when this hacker was connecting, if it exists). > > Any other help. > > I suggest (used this by myself) to place some entries in /etc/hosts.allow > for ftp, telnet, ssh etc. which log any access; below you find an example > I used to log telnet requests (in reality, this is *one* line, not two > lines): > > telnetd : ALL : spawn ( /bin/date >> /var/log/telnetd.log && /bin/echo > "telnet session request from %c" >> /var/log/telnetd.log ) : allow > I forgot to mention in my first reply that I'd put the system into secure mode and set the system append-only flag for telnetd.log etc: chflags sappnd /var/log/telnetd.log sysctl -w kern.securelevel=3D2 This will prevent any intruder from eliminating his/her activity in /var/log/telnetd.log. Best regards Konrad Konrad Heuer Personal Bookmarks: Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=D6ttingen http://www.freebsd.org Am Fa=DFberg, D-37077 G=D6ttingen http://www.daemonnews.o= rg Deutschland (Germany) kheuer@gwdu60.gwdg.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011018153844.X37678-100000>