Date: Thu, 18 Oct 2001 17:38:31 -0600 From: "Tomek" <tomek@mpionline.com> To: <freebsd-security@FreeBSD.ORG> Subject: I got hacked, not login wise, software wise Message-ID: <06cf01c1582d$ff363600$f6f073d1@mpionline.com> References: <20011018131823.Y621-100000@jodie.ncptiddische.net> <011e01c157cf$9b401700$f6f073d1@mpionline.com> <20011018165057.V3734@ns2.wananchi.com> <01e701c157e4$f012abc0$f6f073d1@mpionline.com> <20011018180513.C3734@ns2.wananchi.com> <20011018114805.E70327@acadia.ne.mediaone.net> <018801c157ef$37ec0720$f6f073d1@mpionline.com> <03db01c15812$c4575d40$f6f073d1@mpionline.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello there, ==QUICK SUMMARY TO NOT WASTE YOUR TIME=== =Without a doubt I have been hacked =Noone should have any accounts or access except me =They managed to create some files in / to unzip and install sudo =They seemed to be running under "Broot" =They tried to make user "l-x" as wheel but failed to login =They repeatedly have tried anonymous ftp and failed Why I think it is NOT a login hack but some kind of buffer or software hack =log files show nothing about logins =doubtful they just covered their tracks because they left files sitting in / as well as left the user "l-x" ===MY SUMMARY=== I think they found a way to get some program (I use a limited and careful selection of them) to create the files as "Broot" and they tried to find a way to login but failed. I am NOT sure about this, maybe they did cover their tracks but were sloppy and left more obvious hints. ===MY QUESTIONS=== =1= I have a user "Broot", I noticed it only a few days after installing FreeBSD 4.3-RELEASE (GENERIC) #0. Is it normal? Many say they do not have it, but on google a search shows many do. =2= Is there ANY way of determining WHICH program/process has allowed commands to be run to create/install "sudo" (which is what the hacker has installed). It is NOT a logged in user that installed it. Maybe there are some logs for what processes were running at the time, what process made a file, or whatever. =3= Any other advice? NOTE: I have not yet notified the hacker I am on to them, I am hoping to catch them doing something so I know what they are after. But they may realize I am on to them by now. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?06cf01c1582d$ff363600$f6f073d1>