Date: Tue, 19 Dec 2000 03:24:15 -0500 (EST) From: Mike Nowlin <mike@argos.org> To: mikel <mikel@ocsinternet.com> Cc: "Zaitsau, Andrei" <AZaitsau@panasonicfa.com>, net@FreeBSD.ORG Subject: Re: Hacked computer Message-ID: <Pine.LNX.4.21.0012190316450.10640-100000@jason.argos.org> In-Reply-To: <3A3E5C33.793B5684@ocsinternet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> If you've been rooted, then the logs are probably no good. But check you wtmp > for logons, and messages, and well if you don't see anything unusual there then > the've prabaly been wiped. Have regained root yet? personally I would pull the > box off net and backup theimportant config stuff, then blast it....but hey I > tend to be a bit of an extremist in these cases... A very helpful trick I did on a Linux box once that was rooted where Mr. Friendly did a "rm -fr /" to try to make my life as difficult as possible was: (after installing the erased drive on a new machine) strings /dev/hdc1 > keepme_hdc1 Due to the fact that "rm" really doesn't erase anything, the contents were still there - doing a "strings" on the raw partition will retrieve a lot. With a bit of patience, it's amazing what will show up -- usually, the former contents of /var/log/* will show up as large chunks that are easily read... Turns out I found this guy's IP address and the time the system was blasted - a call to MCI resulted in a small amount of satisfaction... --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0012190316450.10640-100000>