----- Original Message ----- 
From: "dave" <[EMAIL PROTECTED]>
Sent: Tuesday, April 13, 2004 11:51 PM
Subject: have i been hacked?

> Hello,
>     Wondering if a system on my network has been hacked? At approx 12:30
> this evening the hard disk went crazy, i have been out of town lately and
> have not checked any of the machines, when i did the CPU usage was at 15%
> which on this machine it never gets above 1 maybe 1.5. So i looked, and i
> had nearly 150 processes on the box, 9 running. When i got the daily run
> output i noticed the setuid files have changed. Wondering if this box got
> hacked and if so where to look to confirm this? And if so, what to do?
> Thanks.
> Dave.
> Checking setuid files and devices:
> ls: Terminated
> : No such file or directory
> guardian.davemehler.net setuid diffs:
> 1,52d0
> < 94240 -r-sr-xr-x  1 root  wheel     448384 Jun  4 21:54:47 2003 /bin/rcp
> < 117807 -r-sr-x---  1 root  operator  421832 Jun  4 21:55:39 2003

Compared to my 4.9 systems, your rcp is nearly twice the size as it should

-r-sr-xr-x  1 root  wheel  251444 Apr  9 12:05 rcp

You didn't say which version you were running but if it's a 4.x, then I'd
say you've got a serious issue here. If you're running 5.x then I can't say.


Micheal Patterson
Network Administration
TSG Incorporated

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to