Date: Tue, 19 Dec 2000 10:07:45 -0500 From: Bill Vermillion <bill@bilver.wjv.com> To: freebsd-net@freebsd.org Subject: Re: Hacked computer Message-ID: <20001219100745.B21801@wjv.com> In-Reply-To: <Pine.LNX.4.21.0012190316450.10640-100000@jason.argos.org>; from mike@argos.org on Tue, Dec 19, 2000 at 03:24:15AM -0500 References: <3A3E5C33.793B5684@ocsinternet.com> <Pine.LNX.4.21.0012190316450.10640-100000@jason.argos.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 19, 2000 at 03:24:15AM -0500, Mike Nowlin thus spoke: > > If you've been rooted, then the logs are probably no good. But > > check you wtmp for logons, and messages, and well if you don't > > see anything unusual there then the've prabaly been wiped. Have > > regained root yet? ... ... > Due to the fact that "rm" really doesn't erase anything, the > contents were still there - doing a "strings" on the raw partition > will retrieve a lot. > With a bit of patience, it's amazing what will show up -- usually, > the former contents of /var/log/* will show up as large chunks > that are easily read... Turns out I found this guy's IP address > and the time the system was blasted - a call to MCI resulted in a > small amount of satisfaction... It's amazing what TCT - The Coroners Toolkit - will display. 'lazurus' causes files to rise from the dead. Used ahead of time you can run MD5 on the entire system so you can check everything if you beleive you've been broken into. Dan Farmer and Wietse Venema wrote it. Bill -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001219100745.B21801>