Date: Tue, 21 Jul 1998 22:36:50 -0700 (PDT) From: Jim Shankland <jas@flyingfox.com> To: ahd@kew.com, leec@adam.adonai.net Cc: security@FreeBSD.ORG Subject: Re: hacked and don't know why Message-ID: <199807220536.WAA11804@biggusdiskus.flyingfox.com> In-Reply-To: <Pine.BSF.3.96.980721185446.5721A-100000@adam.adonai.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Lee Crites (ASC)" <leec@adam.adonai.net> writes: > In my case, the bin directories (/bin, /sbin, /usr/bin, > /usr/sbin, etc) were still there, just that every program was > replaced with the exact same "dummy" program. All were, as I > recall, around 180k (exact same size with cmp showing no > differences in any of them. The funny thing is that ls did what > ls was supposed to do, ps did what it was supposed to do, etc, > even though they were the same size and cmp'd as identicle. I *definitely* want to know how to squeeze every executable in /bin, /sbin, /usr/bin, and /usr/sbin into one 180KB file. I'll bet Jordan would, too, if he hadn't foresworn working on sysinstall :-). The symptoms you describe (not counting the blow to the head), as well as Drew's, make me think "filesystem damage due to failing/flakey hardware" before "security compromise." Can't say for sure, of course; and in both cases, the evidence is gone. But I think you may be jumping to conclusions a bit to assert, "We were hacked like this two weeks ago." Jim Shankland Flying Fox Computer Systems, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807220536.WAA11804>