Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
On Wed, Jan 18, 2006 at 05:38:50PM +0200, Kilian Hagemann wrote: > On Wednesday 18 January 2006 16:25, Will Maier pondered: > > On Wed, Jan 18, 2006 at 03:56:32PM +0200, Kilian Hagemann wrote: > > > I have never even heard of "frox" before, but after some > > > googling it turns out that it's a GPL'ed transparent ftp > > > proxy... > > > > Where's it pointing? > > No idea, I only went as far as trying to login anonymously using a > console based ftp client. How could I find out? Connect to it and watch the packets in tcpdump(8) or similar. this may not give you the full answer, but it'll help. What banners do the FTP servers have? Is there a domain listed? Who owns that domain? > > What do you see when you connect to the SMTP ports? Are they > > really mail servers, or just rogue services running on 25? > > They are really mail servers, at least smtp for outgoing mails > (don't know about incoming though). I used kmail to configure them > as standard outgoing smtp mail servers and successfully sent > myself two emails, one via each server. Surely a default, out of > the box, unconfigured and sendmail_enable="None" sendmail process > wouldn't allow for something like that, never mind the fact that > the firewall is supposed to block ANY access from the outside > (output of ipfw show is attached) So these are running, functioning sendmail servers that /you/ didn't configure (on purpose)? What do you see when you 'talk' to them via nc(1)? If you're firewall was dropping incoming packets destined to those ports, you wouldn't have been able to send a mail through them (or connect on 25 with nc(1))... > Well, I didn't worry about samba because it's firewalled to the > outside(unless some Windows virus on one of the LAN machines > exploited a samba hole, is that likely?). I don't know Samba that well, but it's possible it could be exploited (check the web for recent advisories pertaining to it). How much do you trust the users on the 'green' side? Could one of their boxes have been compromised and then used as a platform to attack your border servers? This sort of (nightmare) scenario is why people have been whining about 'defense in depth' for the last few years; it turns out that your crunchy, impermeable outside actually can be as squishy as your inside. > There is only one single normal user account with an uncommon name > and an impossible password(16 characters randomly generated from > ASCII charset). ChallengeResponseAuthentication is commented out > in sshd which I guess means it uses the standard PAM > authentication. It also allows password/interactive authentication > in addition to public key, I always use the former. I do admit > that I have set "PermitRootLogin yes" but my root password is 9 > characters with numbers and non-alphanumeric characters, so hard > to brute-force. Having a kickass, long username with an 'impossible' 16 char password and an open root account with a password 9 chars long is like putting a heavy steel door on a cardboard box. Allowing PermitRootLogin is a mistake in almost every scenario; disable it in the next generation of your servers (if possible). It's a 'weakest link' sort of situation, I guess. > In any case, it's important to note that the only access from the > outside via ssh/rsync is firewalled in such a way that it only > allows access from a single IP address which my institution > assigns me statically via DHCP (see attachment). That's good. > They would have had to a) find out what this one and only trusted > IP address is b) spoof it successfully c) attack ssh brute force? Assuming the firewall works, they would certainly have to complete steps a, b and c; unless, that is, they compromised /your/ box, too. Unlikely, though, I suspect. > Well, I thought my setup was secure enough for a very basic > router/gateway/firewall for a couple of Windows machines using a > sucky internet connection which is not worth stealing. Unfortunately, the asset you should be protecting might not be your bandwidth or data or whatever it is you've been assuming. When you set up a firewall, you're protecting something -- in your case, what is it? Have you defined that for yourself? It's hard to do a good job defending something you haven't or can't define. While it probably sounds pedantic or silly, take a moment to ask yourself what it is you want to protect. If there are several things, rank them by priority. _Then_ go about designing a defense. Securing your stuff may not be a terribly high priority at all; if so, accept the fact that something bad will happen once in a while. Your security plan might just be "deal with it when the shit hits the fan." No problem. That can make sense. Having clarified that for yourself, though, makes things easier. > So I didn't go through the effort of using a file integrity > monitor, remote logging, traffic dumps or network monitors (jeez, > sysadmins lives are really difficult these days :-( ) Like I said above, those s
Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
On Wednesday 18 January 2006 17:13, [EMAIL PROTECTED] pondered: > sendmail_enable="NONE" would do the same as all that other crap mentioned > i find it a waste of time trying to figure out how a hacker got in just > format the machine reinstall freebsd and secure the box up a bit and try > updating it when vulnerabilitie are out. And this shouldnt happen again Yeah, I'll have to look into that NONE vs all NO individually because it gave me hassles from the beginning (STILL sendmail stuff in /var/log/messages after disabling with NONE), but the important thing here is outside sendmail access was firewalled (see my other post and its attachment for ipfw rules). Anyway, I guess you're right, reinstalling and beefing up security will be easier. I just thought that if they didn't get in through brute-forcing my sshd (the only vulnerability I can think of so far), and the attack came from the internet (not some worm/virus on one of the Windows machines), it's some unpublished vulnerability in some part of FreeBSD that I'm sure others would like to know about. But hey, from what you guys are telling me that seems unlikely... -- Kilian Hagemann ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
On Wednesday 18 January 2006 16:25, Will Maier pondered: > On Wed, Jan 18, 2006 at 03:56:32PM +0200, Kilian Hagemann wrote: > > I have never even heard of "frox" before, but after some googling > > it turns out that it's a GPL'ed transparent ftp proxy... > > Where's it pointing? No idea, I only went as far as trying to login anonymously using a console based ftp client. How could I find out? > > Also, I said smtp ports were open on the machines in question, I > > just verified that I can send emails via BOTH these systems even > > though no sendmail/exim/whatever was ever installed by me and > > sendmail_enable="None" on both. > > What do you see when you connect to the SMTP ports? Are they really > mail servers, or just rogue services running on 25? They are really mail servers, at least smtp for outgoing mails (don't know about incoming though). I used kmail to configure them as standard outgoing smtp mail servers and successfully sent myself two emails, one via each server. Surely a default, out of the box, unconfigured and sendmail_enable="None" sendmail process wouldn't allow for something like that, never mind the fact that the firewall is supposed to block ANY access from the outside (output of ipfw show is attached) > > My servers have been compromised, fantastic. And that with an > > initial firewall'ed setup that left NO open ports (I verified that > > a while ago with nmap). So much for my impression that FreeBSD was > > secure. > > My condolences; what you describe, though, doesn't really suggest > that /FreeBSD/ is insecure. In the vast majority of these situations > (and yes, I have found myself in your shoes before), the operator > (you or I) is to blame. Alright, I guest that's a fair assumption. But that's what this thread is about: What (if anything) did I do wrong? > > How could this have happened? ipfw buffer overflow? Some other > > unknown vulnerability? > > Ockham's razor: the simplest is also the most likely solution. > You're running Samba; is there any chance that that service or your > configuration of it could have opened a hole? How many people have > user accounts on that box? Do you allow > ChallengeResponseAuthentication on SSH? Key only? Well, I didn't worry about samba because it's firewalled to the outside(unless some Windows virus on one of the LAN machines exploited a samba hole, is that likely?). There is only one single normal user account with an uncommon name and an impossible password(16 characters randomly generated from ASCII charset). ChallengeResponseAuthentication is commented out in sshd which I guess means it uses the standard PAM authentication. It also allows password/interactive authentication in addition to public key, I always use the former. I do admit that I have set "PermitRootLogin yes" but my root password is 9 characters with numbers and non-alphanumeric characters, so hard to brute-force. In any case, it's important to note that the only access from the outside via ssh/rsync is firewalled in such a way that it only allows access from a single IP address which my institution assigns me statically via DHCP (see attachment). They would have had to a) find out what this one and only trusted IP address is b) spoof it successfully c) attack ssh brute force? > > I really wanna find out how they got in (syslog offers no clues > > btw, I've been rootkitted after all :-( > > You'll need to do a more sophisticated forensic analysis, then, to > figure out what happened. Some basic questions: were you running a > file integrity monitor? What did it say? Do you have logs that were > remotely backed up (and, therefore, likely still accurate)? What do > they say? Do you have any network monitoring that might have > recorded an intrusion? What services /should/ be running on the box > (I don't think this was ever actually listed -- it would be useful > to know)? Do you have dumps of the traffic leaving or entering the > box? Well, I thought my setup was secure enough for a very basic router/gateway/firewall for a couple of Windows machines using a sucky internet connection which is not worth stealing. So I didn't go through the effort of using a file integrity monitor, remote logging, traffic dumps or network monitors (jeez, sysadmins lives are really difficult these days :-( ) The services that should be running on the box are: LAN only: samba, dnsmasq LAN and WAN: ssh/rsync I wanted to use rsync with ssh authentication/remote shell to sync my /etc and /usr/etc to my workstation and then comparing the "update" with a static copy to find out if anything had changed. But before I could do that, the one server mysteriously had its ssh/rsync disabled and I didn't take a healthy copy of /etc of the other one to begin with :-( > Again, this is a tough and very unfortunate position to be in -- I > sympathize. It may very well not be worth the time it takes to fully > investigate the source of the compromise. Real forensic anal
Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
sendmail_enable="NONE" would do the same as all that other crap mentioned i find it a waste of time trying to figure out how a hacker got in just format the machine reinstall freebsd and secure the box up a bit and try updating it when vulnerabilitie are out. And this shouldnt happen again >> Also, I said smtp ports were open on the machines in question, I just >> verified >> that I can send emails via BOTH these systems even though no >> sendmail/exim/whatever was ever installed by me and >> sendmail_enable="None" on >> both. > > For what it's worth, to disable senmail on 5.0 and later, you need: > > sendmail_enable="NO" > sendmail_submit_enable="NO" > sendmail_outbound_enable="NO" > sendmail_msp_queue_enable="NO" > > All those lines need to go in your /etc/rc.conf file, just the top line on > it's own will only stop mail coming into your system and I think it has to > be > "NO" not "None", but I'm not 100% on that. > > The above is from the Handbook: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mail-changingmta.html > > -- > Paul > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
Also, I said smtp ports were open on the machines in question, I just verified that I can send emails via BOTH these systems even though no sendmail/exim/whatever was ever installed by me and sendmail_enable="None" on both. For what it's worth, to disable senmail on 5.0 and later, you need: sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" All those lines need to go in your /etc/rc.conf file, just the top line on it's own will only stop mail coming into your system and I think it has to be "NO" not "None", but I'm not 100% on that. The above is from the Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mail-changingmta.html -- Paul ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
On Wed, Jan 18, 2006 at 03:56:32PM +0200, Kilian Hagemann wrote:
> I have never even heard of "frox" before, but after some googling
> it turns out that it's a GPL'ed transparent ftp proxy...
Where's it pointing?
> Also, I said smtp ports were open on the machines in question, I
> just verified that I can send emails via BOTH these systems even
> though no sendmail/exim/whatever was ever installed by me and
> sendmail_enable="None" on both.
What do you see when you connect to the SMTP ports? Are they really
mail servers, or just rogue services running on 25?
> My servers have been compromised, fantastic. And that with an
> initial firewall'ed setup that left NO open ports (I verified that
> a while ago with nmap). So much for my impression that FreeBSD was
> secure.
My condolences; what you describe, though, doesn't really suggest
that /FreeBSD/ is insecure. In the vast majority of these situations
(and yes, I have found myself in your shoes before), the operator
(you or I) is to blame.
> How could this have happened? ipfw buffer overflow? Some other
> unknown vulnerability?
Ockham's razor: the simplest is also the most likely solution.
You're running Samba; is there any chance that that service or your
configuration of it could have opened a hole? How many people have
user accounts on that box? Do you allow
ChallengeResponseAuthentication on SSH? Key only?
> I really wanna find out how they got in (syslog offers no clues
> btw, I've been rootkitted after all :-(
You'll need to do a more sophisticated forensic analysis, then, to
figure out what happened. Some basic questions: were you running a
file integrity monitor? What did it say? Do you have logs that were
remotely backed up (and, therefore, likely still accurate)? What do
they say? Do you have any network monitoring that might have
recorded an intrusion? What services /should/ be running on the box
(I don't think this was ever actually listed -- it would be useful
to know)? Do you have dumps of the traffic leaving or entering the
box?
Again, this is a tough and very unfortunate position to be in -- I
sympathize. It may very well not be worth the time it takes to fully
investigate the source of the compromise. Real forensic analysis is
outside most of our job descriptions; I know that my skillset
doesn't cover it well enough. An inept investigation can be much
worse than no investigation at all: consider (if you can afford it)
bringing in someone who can do a quick, good job of it.
> Any suggestions other than format/reinstall/tripwire?
I can't think of any better ideas. Certainly, I'd add updating the
system to your list. Even if the Security Alerts don't seem to
effect your set up, I find it's good practice to apply them in a
reasonable amount of time. At the very least, it keeps me in touch
with my boxes and lets me develop a routine in case an alert does
effect me.
Good luck!
--
o--{ Will Maier }--o
| jabber:[EMAIL PROTECTED] | email:[EMAIL PROTECTED] |
| [EMAIL PROTECTED] | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
I have been hacked (WAS: Have I been hacked or is nmap wrong?)
On Wednesday 18 January 2006 14:34, Ken Stevenson pondered: > Is there any chance you have a router that's forwarding the ports > in question to another computer? Not that I know of. The setup is quite simple: wireless ethernet(PPPoE) ethernet ISP<--->Modem<-->FreeBSD gateway<--->LAN FreeBSD is my router with ppp -ddial -nat and a custom ipfw script that blocks all incoming connections while allowing legitimate traffic out (with keep-state rules). Check this out: ftp gives 220 Frox transparent ftp proxy. Login with [EMAIL PROTECTED]:port]] Name (...) I have never even heard of "frox" before, but after some googling it turns out that it's a GPL'ed transparent ftp proxy... Also, I said smtp ports were open on the machines in question, I just verified that I can send emails via BOTH these systems even though no sendmail/exim/whatever was ever installed by me and sendmail_enable="None" on both. My servers have been compromised, fantastic. And that with an initial firewall'ed setup that left NO open ports (I verified that a while ago with nmap). So much for my impression that FreeBSD was secure. How could this have happened? ipfw buffer overflow? Some other unknown vulnerability? I really wanna find out how they got in (syslog offers no clues btw, I've been rootkitted after all :-( Any suggestions other than format/reinstall/tripwire? -- Kilian Hagemann Climate Systems Analysis Group University of Cape Town Republic of South Africa Tel(w): ++27 21 650 2748 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Have I been hacked or is nmap wrong?
On Wed, Jan 18, 2006 at 11:29:38AM +0200, Kilian Hagemann wrote: > On Tuesday 17 January 2006 19:27, Micheal Patterson pondered: > > > The 1663 ports scanned but not shown below are in state: filtered) > > > PORT STATE SERVICE > > > 80/tcp open http > > > 554/tcp open rtsp > > > 1755/tcp open wms > > > 5190/tcp open aol > > > > Kilian, what does a sockstat show you on those systems and are there any > > nats on either of these systems that would have a redirect_address to > > something behind them? > > sockstat -4l only shows up the processes serving the LAN (dnsmasq, samba) as > well as sshd: > USER COMMAND PID FD PROTOLOCAL ADDRESS FOREIGN ADDRESS > root smbd484 18 tcp4 > 192.168.133.1:445 *:* > root smbd484 19 tcp4 > 192.168.133.1:139 *:* > root nmbd480 6 udp4 *:137 > *:* > root nmbd480 7 udp4 *:138 > *:* > root nmbd480 8 udp4 > 192.168.133.1:137 *:* > root nmbd480 9 udp4 > 192.168.133.1:138 *:* > nobodydnsmasq 458 1 udp4 *:56212 > *:* > nobodydnsmasq 458 3 udp4 *:53 > *:* > nobodydnsmasq 458 4 tcp4 *:53 > *:* > nobodydnsmasq 458 5 udp4 *:67 > *:* > root sshd432 3 tcp4 *:22 > *:* > root syslogd 311 4 udp4 *:514 > *:* > > So nothing suspect at all here. Yes, the systems are natted(with above system > LAN on 192.168.133.0/24), using ppp -nat. I have no specific redirects set > up, and only a "allow tcp/udp from LAN to WAN/any setup keep-state" dynamic > rule, but that should be unrelated. > > If my server is not compromised, how the heck could an http/rtsp/wms/aol > redirect sneak in there without me explicitly enabling it? > Is there any chance you have a router that's forwarding the ports in question to another computer? -- Ken Stevenson Allen-Myland Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Have I been hacked or is nmap wrong?
On Tuesday 17 January 2006 19:27, Micheal Patterson pondered: > > The 1663 ports scanned but not shown below are in state: filtered) > > PORT STATE SERVICE > > 80/tcp open http > > 554/tcp open rtsp > > 1755/tcp open wms > > 5190/tcp open aol > > Kilian, what does a sockstat show you on those systems and are there any > nats on either of these systems that would have a redirect_address to > something behind them? sockstat -4l only shows up the processes serving the LAN (dnsmasq, samba) as well as sshd: USERCOMMAND PID FD PROTOLOCAL ADDRESS FOREIGN ADDRESS rootsmbd484 18 tcp4 192.168.133.1:445 *:* rootsmbd484 19 tcp4 192.168.133.1:139 *:* rootnmbd480 6 udp4 *:137 *:* rootnmbd480 7 udp4 *:138 *:* rootnmbd480 8 udp4 192.168.133.1:137 *:* rootnmbd480 9 udp4 192.168.133.1:138 *:* nobody dnsmasq 458 1 udp4 *:56212 *:* nobody dnsmasq 458 3 udp4 *:53 *:* nobody dnsmasq 458 4 tcp4 *:53 *:* nobody dnsmasq 458 5 udp4 *:67 *:* rootsshd432 3 tcp4 *:22 *:* rootsyslogd 311 4 udp4 *:514 *:* So nothing suspect at all here. Yes, the systems are natted(with above system LAN on 192.168.133.0/24), using ppp -nat. I have no specific redirects set up, and only a "allow tcp/udp from LAN to WAN/any setup keep-state" dynamic rule, but that should be unrelated. If my server is not compromised, how the heck could an http/rtsp/wms/aol redirect sneak in there without me explicitly enabling it? -- Kilian Hagemann Climate Systems Analysis Group University of Cape Town Republic of South Africa Tel(w): ++27 21 650 2748 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Have I been hacked or is nmap wrong?
- Original Message - From: "Kilian Hagemann" <[EMAIL PROTECTED]> To: Sent: Tuesday, January 17, 2006 11:07 AM Subject: Have I been hacked or is nmap wrong? Hi there, I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the other 5.3-STABLE, both not having been updated since I installed from ISO images. They both have custom ipfw firewalls that are dropping pretty much everything that's not supposed to come in. All was fine and dandy until one day I noticed that when I nmap'ed them from the outside, the one shows The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 554/tcp open rtsp 1755/tcp open wms 5190/tcp open aol Kilian, what does a sockstat show you on those systems and are there any nats on either of these systems that would have a redirect_address to something behind them? -- Micheal Patterson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Have I been hacked or is nmap wrong?
On Tue, Jan 17, 2006 at 07:07:17PM +0200, Kilian Hagemann wrote: > Hi there, > > I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the > other 5.3-STABLE, both not having been updated since I installed from ISO > images. They both have custom ipfw firewalls that are dropping pretty much > everything that's not supposed to come in. > > All was fine and dandy until one day I noticed that when I nmap'ed them from > the outside, the one shows > > The 1663 ports scanned but not shown below are in state: filtered) > PORT STATE SERVICE > 80/tcp open http > 554/tcp open rtsp > 1755/tcp open wms > 5190/tcp open aol > > and the other the same without the http bit. When I nmap them from the only > address that they allow ssh&rsync access from (my public IP at work), nmap > says that ftp, smtp and irc(port 6668) are open. > > Even though I have sendmail_enable="none" in my rc.conf I still get some > sendmail entries in my syslog so that might explain the open smtp port, but > the others are DEFINITELY NOT supposed to be open. > > I haven't noticed anything different on the servers themselves and neither > can > I detect these open ports on the machine itself (using lsof -i :1-65535 or > netstat). I also haven't noticed any abnormal traffic volumes originating > from them. > > So, have I been hacked and rootkitted? Or is nmap simply lying to me? > > I've been subscribed to freebsd-announce and thus seen all SA's to date, but > none of them are relevant to any of my setups. > Run sockstat -4l and see what commands are listening on the ports in question. -- Ken Stevenson Allen-Myland Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Have I been hacked or is nmap wrong?
Hi there, I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the other 5.3-STABLE, both not having been updated since I installed from ISO images. They both have custom ipfw firewalls that are dropping pretty much everything that's not supposed to come in. All was fine and dandy until one day I noticed that when I nmap'ed them from the outside, the one shows The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 554/tcp open rtsp 1755/tcp open wms 5190/tcp open aol and the other the same without the http bit. When I nmap them from the only address that they allow ssh&rsync access from (my public IP at work), nmap says that ftp, smtp and irc(port 6668) are open. Even though I have sendmail_enable="none" in my rc.conf I still get some sendmail entries in my syslog so that might explain the open smtp port, but the others are DEFINITELY NOT supposed to be open. I haven't noticed anything different on the servers themselves and neither can I detect these open ports on the machine itself (using lsof -i :1-65535 or netstat). I also haven't noticed any abnormal traffic volumes originating from them. So, have I been hacked and rootkitted? Or is nmap simply lying to me? I've been subscribed to freebsd-announce and thus seen all SA's to date, but none of them are relevant to any of my setups. -- Kilian Hagemann Climate Systems Analysis Group University of Cape Town Republic of South Africa Tel(w): ++27 21 650 2748 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
On Wed, 14 Apr 2004 16:08:08 + Daniela <[EMAIL PROTECTED]> wrote: > > aragorn# ls -l /bin/rcp > > -r-sr-xr-x 1 root wheel 18392 Feb 23 20:41 /bin/rcp > > > > (notice the size!, someone mentioned that already on the list..) > > > > So obviously something weird happened. > > That needn't be the case. Mine is 932532 bytes long (and it was already that > size after a fresh reinstall). > And why? Debug symbols. I love to have them everywhere. > Try to strip the file, and it will be much shorter. apart from that, does one really need "rcp" at all ? i recommend to delete as much as possible your setuid-apps, use jails for your services and read security-howtos and if you really think your box is cracked, reinstall from scratch (and you'll sleep better at night :) when it comes to rootkits, try also : rkhunter from http://www.rootkit.nl HTH,GL! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
On Wed, Apr 14, 2004 at 04:08:08PM +, Daniela wrote: [ size of the /bin/rcp executable ] > That needn't be the case. Mine is 932532 bytes long (and it was already that > size after a fresh reinstall). > And why? Debug symbols. I love to have them everywhere. > Try to strip the file, and it will be much shorter. Installed binaries should already be stripped if they're part of the base system. You have to make a special effort setting things in /etc/make.conf to prevent binaries being stripped on installation. The reason that rcp is so large on 4.x is that it's statically linked: % ls -la /bin/rcp -r-sr-xr-x 1 root wheel 251572 Feb 7 12:43 /bin/rcp* % file /bin/rcp /bin/rcp: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 4.9, statically linked, stripped On recent 5.x, rcp will be linked against the shared libc and consequently rather smaller in size. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: have i been hacked?
Hello everyone, Ok, i am almost certain i've been hacked now. I just checked the system for some strange accounts or things i didn't recognize. I didn't see anything in /etc/passwd, /etc/group, /etc/master.passwd, and so forth. I however ran chkrootkit and got two very disturbing errors, firstly it was going along reporting items as uninfected, then when it hit sniffer, the first of several files it died with the error: "Abort Trap" I'm going to take this machine down, back it all up, and do a reinstall. Also, an nmap scan of the machine from another box showed no unidentified open services. Keep the suggestions coming. Thanks. Dave. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
* Luke Kearney <[EMAIL PROTECTED]> [0459 06:59]: > > On Wed, 14 Apr 2004 00:51:06 -0400 > "dave" <[EMAIL PROTECTED]> granted us these pearls of wisdom: > > > Hello, > > Wondering if a system on my network has been hacked? > > ls: Terminated > > : No such file or directory > > guardian.davemehler.net setuid diffs: > > 1,52d0 > > < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp > > < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003 > > /sbin/mksnap_ffs > > < 117826 -r-sr-xr-x 1 root wheel 451668 Jun 4 21:55:43 2003 > > /sbin/ping > > < 117827 -r-sr-xr-x 1 root wheel 463444 Jun 4 21:55:43 2003 > > /sbin/ping6 > My first suggestion is to have a look at what services are running that > shouldn't be. A hacked box is not much use to anyone if they cannot use > it. Try sockstat -4 and see if there are unusual ( unusual for this box ) > services running such as iirc related services. Take a look at your mail > logs and see if there is unusual mail traffic. If the box has been taken, you can't trust the binaries any more. > If the attacker is still logged in ( probably unlikely ) you might get a > hint from netstat -NA |grep ESTABLISHED -- Menu, n.: A list of dishes which the restaurant has just run out of. Rasputin :: Jack of All Trades - Master of Nuns ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
On Wednesday 14 April 2004 09:48, Remko Lodder wrote: > Dan Strick wrote: > >> ... > >>When i got the daily run > >>output i noticed the setuid files have changed. Wondering if this box got > >>hacked and if so where to look to confirm this? > >> ... > >> > >> Checking setuid files and devices: > >> ls: Terminated > >> > >> : No such file or directory > >> > >> guardian.davemehler.net setuid diffs: > >> 1,52d0 > >> < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 > >> /bin/rcp ... [...] > aragorn# ls -l /bin/rcp > -r-sr-xr-x 1 root wheel 18392 Feb 23 20:41 /bin/rcp > > (notice the size!, someone mentioned that already on the list..) > > So obviously something weird happened. That needn't be the case. Mine is 932532 bytes long (and it was already that size after a fresh reinstall). And why? Debug symbols. I love to have them everywhere. Try to strip the file, and it will be much shorter. Daniela ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
Clint, I think you misread my message. Did "moving all the accounts and reinstalling" imply that I didn't do a reinstall? I simply copied over known original programs so I could make my backup and do some postmortem before reinstalling the system. As you say, who knows what other program were changed. I wanted to use known good binaries. My apologies, i indeed misread that part. I read it as "Overwritten the binary's with versions from other systems before i wanted to reinstall" with me that implied that you did not reinstall. Again, my apologies, Good job to reinstall (: -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl A Dutch community for helping newcomers on the hackerscene ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
I had someone get into one of my machines when I stupidly left telnet running and an email from the system much like yours was what first alerted me to it. The kiddie had installed a new ls which didn't allow any switches. I imagine '-l' is needed for the suid check, so it fails and reports all the files as changing. I ran chkrootkit and it turned up nothing. The kiddie had also replaced several other programs (login and ps were among them) and turned off syslog.I'm lucky to have several other systems, so i was able to copy over known original versions of the system tools that were changed and get the machine secured before moving all the accounts and reinstalling. Bad move, backup important data and reinstall your host, you cannot tell which applications are affected or not (just spotted the obvious ones). If you intend to keep it running, well thats a security incident imho. Please consider it. I think you misread my message. Did "moving all the accounts and reinstalling" imply that I didn't do a reinstall? I simply copied over known original programs so I could make my backup and do some postmortem before reinstalling the system. As you say, who knows what other program were changed. I wanted to use known good binaries. -- Clint Gilders <[EMAIL PROTECTED]> Director of Technology Services OnlineHobbyist.com, Inc. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
Clint Gilders wrote: dave wrote: Hello, Wondering if a system on my network has been hacked? At approx 12:30 this evening the hard disk went crazy, i have been out of town lately and have not checked any of the machines, when i did the CPU usage was at 15% which on this machine it never gets above 1 maybe 1.5. So i looked, and i had nearly 150 processes on the box, 9 running. When i got the daily run output i noticed the setuid files have changed. Wondering if this box got hacked and if so where to look to confirm this? And if so, what to do? Thanks. Dave. Checking setuid files and devices: ls: Terminated : No such file or directory guardian.davemehler.net setuid diffs: 1,52d0 < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003 /sbin/mksnap_ffs < 117826 -r-sr-xr-x 1 root wheel 451668 Jun 4 21:55:43 2003 I had someone get into one of my machines when I stupidly left telnet running and an email from the system much like yours was what first alerted me to it. The kiddie had installed a new ls which didn't allow any switches. I imagine '-l' is needed for the suid check, so it fails and reports all the files as changing. I ran chkrootkit and it turned up nothing. The kiddie had also replaced several other programs (login and ps were among them) and turned off syslog.I'm lucky to have several other systems, so i was able to copy over known original versions of the system tools that were changed and get the machine secured before moving all the accounts and reinstalling. Bad move, backup important data and reinstall your host, you cannot tell which applications are affected or not (just spotted the obvious ones). If you intend to keep it running, well thats a security incident imho. Please consider it. -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl A Dutch community for helping newcomers on the hackerscene ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
dave wrote: Hello, Wondering if a system on my network has been hacked? At approx 12:30 this evening the hard disk went crazy, i have been out of town lately and have not checked any of the machines, when i did the CPU usage was at 15% which on this machine it never gets above 1 maybe 1.5. So i looked, and i had nearly 150 processes on the box, 9 running. When i got the daily run output i noticed the setuid files have changed. Wondering if this box got hacked and if so where to look to confirm this? And if so, what to do? Thanks. Dave. Checking setuid files and devices: ls: Terminated : No such file or directory guardian.davemehler.net setuid diffs: 1,52d0 < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003 /sbin/mksnap_ffs < 117826 -r-sr-xr-x 1 root wheel 451668 Jun 4 21:55:43 2003 I had someone get into one of my machines when I stupidly left telnet running and an email from the system much like yours was what first alerted me to it. The kiddie had installed a new ls which didn't allow any switches. I imagine '-l' is needed for the suid check, so it fails and reports all the files as changing. I ran chkrootkit and it turned up nothing. The kiddie had also replaced several other programs (login and ps were among them) and turned off syslog.I'm lucky to have several other systems, so i was able to copy over known original versions of the system tools that were changed and get the machine secured before moving all the accounts and reinstalling. -- Clint Gilders <[EMAIL PROTECTED]> Director of Technology Services OnlineHobbyist.com, Inc. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
On Apr 14, 2004, at 1:47 AM, Luke Kearney wrote: On Wed, 14 Apr 2004 00:51:06 -0400 "dave" <[EMAIL PROTECTED]> granted us these pearls of wisdom: Hello, Wondering if a system on my network has been hacked? At approx 12:30 this evening the hard disk went crazy, i have been out of town lately and have not checked any of the machines, when i did the CPU usage was at 15% What about output from chkrootkit, to check to see whether any rootkit programs have been installed? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
Dan Strick wrote: ... When i got the daily run output i noticed the setuid files have changed. Wondering if this box got hacked and if so where to look to confirm this? ... Checking setuid files and devices: ls: Terminated : No such file or directory guardian.davemehler.net setuid diffs: 1,52d0 < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp ... The "ls" command the security script uses to discover all of the setuid files on your system failed for some unspecified reason and this caused the script to think that all the setuid files discovered during the previous run of this security script had gone away. The next time this script runs it may well report that these files have reappeared. This is probably not evidence that your system was hacked. Then what does it tell you that happened? When a file appears that is rather strange, also notice the size of /bin/rcp which differs from: aragorn# ls -l /bin/rcp -r-sr-xr-x 1 root wheel 18392 Feb 23 20:41 /bin/rcp (notice the size!, someone mentioned that already on the list..) So obviously something weird happened. I dont do the assumption that you are not hacked, lets assume you are hacked. Take out the harddisk and make a backup of it. Then seal the original disk so that you cannot mess that one up. Do some forensics on the backupped harddisk (not the original!) For example install chrootkit, to see whether it has a rootkit installed, check if you mis anything else. Are there files that you did not notice before? What network connections are being made when the host reboots. etc. etc. I Certainly think that it's really weird that a file increased that much in size (while my 5.2.1-p4 systems are up2date). I also think that the file the security output misses, is strange, i assume that this isn't the first day the host is running. Hope this helps a bit, Also note that this is my consideration, and may or may not be backupped by other persons ;-) Dan Strick [EMAIL PROTECTED] -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl A Dutch community for helping newcomers on the hackerscene ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
>> >... > When i got the daily run > output i noticed the setuid files have changed. Wondering if this box got > hacked and if so where to look to confirm this? >... > > Checking setuid files and devices: > ls: Terminated > : No such file or directory > > guardian.davemehler.net setuid diffs: > 1,52d0 > < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp >... >> The "ls" command the security script uses to discover all of the setuid files on your system failed for some unspecified reason and this caused the script to think that all the setuid files discovered during the previous run of this security script had gone away. The next time this script runs it may well report that these files have reappeared. This is probably not evidence that your system was hacked. Dan Strick [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
Hi, Sorry i should have specified, that's a 4.9 box, with the latest patches and ports. Thanks. Dave. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: have i been hacked?
On Wed, Apr 14, 2004 at 12:51:06AM -0400, dave wrote: > Hello, > Wondering if a system on my network has been hacked? At approx 12:30 > this evening the hard disk went crazy, i have been out of town lately and > have not checked any of the machines, when i did the CPU usage was at 15% > which on this machine it never gets above 1 maybe 1.5. So i looked, and i > had nearly 150 processes on the box, 9 running. When i got the daily run > output i noticed the setuid files have changed. Wondering if this box got > hacked and if so where to look to confirm this? And if so, what to do? > Thanks. > Dave. This is what you'd expect if someone did a 'make world' on that box - are you sure there were no other admins online who might have rebuilt or updated it? If so, then something stranger is going on. Kris pgp0.pgp Description: PGP signature
Re: have i been hacked?
On Wed, 14 Apr 2004 00:51:06 -0400 "dave" <[EMAIL PROTECTED]> granted us these pearls of wisdom: > Hello, > Wondering if a system on my network has been hacked? At approx 12:30 > this evening the hard disk went crazy, i have been out of town lately and > have not checked any of the machines, when i did the CPU usage was at 15% > which on this machine it never gets above 1 maybe 1.5. So i looked, and i > had nearly 150 processes on the box, 9 running. When i got the daily run > output i noticed the setuid files have changed. Wondering if this box got > hacked and if so where to look to confirm this? And if so, what to do? > Thanks. > Dave. > > > Checking setuid files and devices: > ls: Terminated > : No such file or directory > > guardian.davemehler.net setuid diffs: > 1,52d0 > < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp > < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003 > /sbin/mksnap_ffs > < 117826 -r-sr-xr-x 1 root wheel 451668 Jun 4 21:55:43 2003 > /sbin/ping > < 117827 -r-sr-xr-x 1 root wheel 463444 Jun 4 21:55:43 2003 > /sbin/ping6 > < 117839 -r-sr-x--- 1 root operator 431052 Jun 4 21:55:46 2003 > /sbin/shutdown > < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003 > /usr/bin/at > < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003 > /usr/bin/atq > < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003 > /usr/bin/atrm > < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003 > /usr/bin/batch > < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 > /usr/bin/chfn > < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 > /usr/bin/chpass > < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 > /usr/bin/chsh > < 94553 -r-sr-xr-x 1 root wheel27072 Jun 4 21:56:56 2003 > /usr/bin/crontab > < 94384 -r-xr-sr-x 1 root kmem 15416 Jun 4 21:56:35 2003 > /usr/bin/fstat > < 94419 -r-sr-xr-x 1 root wheel 7804 Jun 4 21:56:39 2003 > /usr/bin/lock > < 94422 -r-sr-xr-x 1 root wheel 18944 Jun 4 21:56:39 2003 > /usr/bin/login > < 94560 -r-sr-sr-x 1 root daemon 25344 Jun 4 21:57:13 2003 > /usr/bin/lpq.bak > < 94561 -r-sr-sr-x 1 root daemon 29216 Jun 4 21:57:14 2003 > /usr/bin/lpr.bak > < 94562 -r-sr-sr-x 1 root daemon 24108 Jun 4 21:57:14 2003 > /usr/bin/lprm.bak > < 94441 -r-xr-sr-x 1 root kmem 100776 Jun 4 21:56:41 2003 > /usr/bin/netstat > < 94448 -r-sr-xr-x 1 root wheel 4452 Jun 4 21:56:41 2003 > /usr/bin/opieinfo > < 94450 -r-sr-xr-x 1 root wheel11612 Jun 4 21:56:42 2003 > /usr/bin/opiepasswd > < 94452 -r-sr-xr-x 2 root wheel 5920 Jun 4 21:56:42 2003 > /usr/bin/passwd > < 94458 -r-sr-xr-x 1 root wheel11584 Jun 4 21:56:42 2003 > /usr/bin/quota > < 94461 -r-sr-xr-x 1 root wheel11008 Jun 4 21:56:42 2003 > /usr/bin/rlogin > < 94465 -r-sr-xr-x 1 root wheel 8564 Jun 4 21:56:43 2003 /usr/bin/rsh > < 94478 -r-sr-xr-x 1 root wheel12308 Jun 4 21:56:44 2003 /usr/bin/su > < 94517 -r-xr-sr-x 1 root kmem 15532 Jun 4 21:56:48 2003 > /usr/bin/vmstat > < 94519 -r-xr-sr-x 1 root tty 10516 Jun 4 21:56:48 2003 > /usr/bin/wall > < 94527 -r-xr-sr-x 1 root tty 8100 Jun 4 21:56:49 2003 > /usr/bin/write > < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 > /usr/bin/ypchfn > < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 > /usr/bin/ypchpass > < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 > /usr/bin/ypchsh > < 94452 -r-sr-xr-x 2 root wheel 5920 Jun 4 21:56:42 2003 > /usr/bin/yppasswd > < 96169 -r-sr-xr-x 1 root wheel 3540 Jun 4 21:55:29 2003 > /usr/libexec/pt_chown > < 96150 -r-xr-sr-x 1 root smmsp 629176 Jun 4 21:57:15 2003 > /usr/libexec/sendmail/sendmail > < 108075 -rwsr-xr-x 1 root daemon8624 Dec 21 18:00:36 2003 > /usr/local/bin/lppasswd > < 73521 -rwsr-xr-x 1 root wheel 285508 May 23 09:27:21 2003 > /usr/local/bin/screen > < 72487 -rws--x--x 1 root wheel 741976 May 23 11:00:24 2003 > /usr/local/bin/sperl5.6.1 > < 78399 ---s--x--x 1 root wheel86484 May 23 11:56:11 2003 > /usr/local/bin/sudo > < 77227 -rwxr-sr-x 1 root maildrop 108333 Aug 25 02:17:22 2003 > /usr/local/sbin/postdrop > < 77253 -rwxr-sr-x 1 root maildrop 97362 Aug 25 02:17:23 2003 > /usr/local/sbin/postqueue > < 96371 -r-xr-sr-x 1 root daemon 45704 Jun 4 21:57:13 2003 > /usr/sbin/lpc > < 96274 -r-sr-xr-x 1 root wheel 22448 Jun 4 21:57:00 2003 > /usr/sbin/mrinfo > < 96276 -r-sr-xr-x 1 root wheel 31956 Jun 4 21:57:00 2003 > /usr/sbin/mtrace > < 96418 -r-sr-xr-- 1 root network 367336 Jun 4 21:57:04 2003 > /usr/sbin/ppp > < 96419 -r-sr-x--- 1 root dialer106692 Jun 4 21:57:05 2003 > /usr/sbin/pppd > < 96328 -r-sr-x--- 1 root network14516 Jun 4 21:57:07 2003 > /usr/sbin/sliplogin > < 96337 -r-sr-xr-x 1 root wheel 16288 Jun 4 21:57:09 2003 > /usr/sb
Re: have i been hacked?
- Original Message - From: "dave" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 13, 2004 11:51 PM Subject: have i been hacked? > Hello, > Wondering if a system on my network has been hacked? At approx 12:30 > this evening the hard disk went crazy, i have been out of town lately and > have not checked any of the machines, when i did the CPU usage was at 15% > which on this machine it never gets above 1 maybe 1.5. So i looked, and i > had nearly 150 processes on the box, 9 running. When i got the daily run > output i noticed the setuid files have changed. Wondering if this box got > hacked and if so where to look to confirm this? And if so, what to do? > Thanks. > Dave. > > > Checking setuid files and devices: > ls: Terminated > : No such file or directory > > guardian.davemehler.net setuid diffs: > 1,52d0 > < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp > < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003 Compared to my 4.9 systems, your rcp is nearly twice the size as it should be. -r-sr-xr-x 1 root wheel 251444 Apr 9 12:05 rcp You didn't say which version you were running but if it's a 4.x, then I'd say you've got a serious issue here. If you're running 5.x then I can't say. -- Micheal Patterson Network Administration TSG Incorporated 405-917-0600 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
have i been hacked?
Hello, Wondering if a system on my network has been hacked? At approx 12:30 this evening the hard disk went crazy, i have been out of town lately and have not checked any of the machines, when i did the CPU usage was at 15% which on this machine it never gets above 1 maybe 1.5. So i looked, and i had nearly 150 processes on the box, 9 running. When i got the daily run output i noticed the setuid files have changed. Wondering if this box got hacked and if so where to look to confirm this? And if so, what to do? Thanks. Dave. Checking setuid files and devices: ls: Terminated : No such file or directory guardian.davemehler.net setuid diffs: 1,52d0 < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003 /sbin/mksnap_ffs < 117826 -r-sr-xr-x 1 root wheel 451668 Jun 4 21:55:43 2003 /sbin/ping < 117827 -r-sr-xr-x 1 root wheel 463444 Jun 4 21:55:43 2003 /sbin/ping6 < 117839 -r-sr-x--- 1 root operator 431052 Jun 4 21:55:46 2003 /sbin/shutdown < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003 /usr/bin/at < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003 /usr/bin/atq < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003 /usr/bin/atrm < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003 /usr/bin/batch < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 /usr/bin/chfn < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 /usr/bin/chpass < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 /usr/bin/chsh < 94553 -r-sr-xr-x 1 root wheel27072 Jun 4 21:56:56 2003 /usr/bin/crontab < 94384 -r-xr-sr-x 1 root kmem 15416 Jun 4 21:56:35 2003 /usr/bin/fstat < 94419 -r-sr-xr-x 1 root wheel 7804 Jun 4 21:56:39 2003 /usr/bin/lock < 94422 -r-sr-xr-x 1 root wheel 18944 Jun 4 21:56:39 2003 /usr/bin/login < 94560 -r-sr-sr-x 1 root daemon 25344 Jun 4 21:57:13 2003 /usr/bin/lpq.bak < 94561 -r-sr-sr-x 1 root daemon 29216 Jun 4 21:57:14 2003 /usr/bin/lpr.bak < 94562 -r-sr-sr-x 1 root daemon 24108 Jun 4 21:57:14 2003 /usr/bin/lprm.bak < 94441 -r-xr-sr-x 1 root kmem 100776 Jun 4 21:56:41 2003 /usr/bin/netstat < 94448 -r-sr-xr-x 1 root wheel 4452 Jun 4 21:56:41 2003 /usr/bin/opieinfo < 94450 -r-sr-xr-x 1 root wheel11612 Jun 4 21:56:42 2003 /usr/bin/opiepasswd < 94452 -r-sr-xr-x 2 root wheel 5920 Jun 4 21:56:42 2003 /usr/bin/passwd < 94458 -r-sr-xr-x 1 root wheel11584 Jun 4 21:56:42 2003 /usr/bin/quota < 94461 -r-sr-xr-x 1 root wheel11008 Jun 4 21:56:42 2003 /usr/bin/rlogin < 94465 -r-sr-xr-x 1 root wheel 8564 Jun 4 21:56:43 2003 /usr/bin/rsh < 94478 -r-sr-xr-x 1 root wheel12308 Jun 4 21:56:44 2003 /usr/bin/su < 94517 -r-xr-sr-x 1 root kmem 15532 Jun 4 21:56:48 2003 /usr/bin/vmstat < 94519 -r-xr-sr-x 1 root tty 10516 Jun 4 21:56:48 2003 /usr/bin/wall < 94527 -r-xr-sr-x 1 root tty 8100 Jun 4 21:56:49 2003 /usr/bin/write < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 /usr/bin/ypchfn < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 /usr/bin/ypchpass < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003 /usr/bin/ypchsh < 94452 -r-sr-xr-x 2 root wheel 5920 Jun 4 21:56:42 2003 /usr/bin/yppasswd < 96169 -r-sr-xr-x 1 root wheel 3540 Jun 4 21:55:29 2003 /usr/libexec/pt_chown < 96150 -r-xr-sr-x 1 root smmsp 629176 Jun 4 21:57:15 2003 /usr/libexec/sendmail/sendmail < 108075 -rwsr-xr-x 1 root daemon8624 Dec 21 18:00:36 2003 /usr/local/bin/lppasswd < 73521 -rwsr-xr-x 1 root wheel 285508 May 23 09:27:21 2003 /usr/local/bin/screen < 72487 -rws--x--x 1 root wheel 741976 May 23 11:00:24 2003 /usr/local/bin/sperl5.6.1 < 78399 ---s--x--x 1 root wheel86484 May 23 11:56:11 2003 /usr/local/bin/sudo < 77227 -rwxr-sr-x 1 root maildrop 108333 Aug 25 02:17:22 2003 /usr/local/sbin/postdrop < 77253 -rwxr-sr-x 1 root maildrop 97362 Aug 25 02:17:23 2003 /usr/local/sbin/postqueue < 96371 -r-xr-sr-x 1 root daemon 45704 Jun 4 21:57:13 2003 /usr/sbin/lpc < 96274 -r-sr-xr-x 1 root wheel 22448 Jun 4 21:57:00 2003 /usr/sbin/mrinfo < 96276 -r-sr-xr-x 1 root wheel 31956 Jun 4 21:57:00 2003 /usr/sbin/mtrace < 96418 -r-sr-xr-- 1 root network 367336 Jun 4 21:57:04 2003 /usr/sbin/ppp < 96419 -r-sr-x--- 1 root dialer106692 Jun 4 21:57:05 2003 /usr/sbin/pppd < 96328 -r-sr-x--- 1 root network14516 Jun 4 21:57:07 2003 /usr/sbin/sliplogin < 96337 -r-sr-xr-x 1 root wheel 16288 Jun 4 21:57:09 2003 /usr/sbin/timedc < 96338 -r-sr-xr-x 1 root wheel 23392 Jun 4 21:57:09 2003 /usr/sbin/traceroute < 96339 -r-sr-xr-x 1 root wheel 16788 Jun 4 21:57:09 2003 /usr/sbin/traceroute6 < 96340 -r-xr-sr-x 1 root kmem8512 Jun 4 21:57:09 2003 /usr/sbin/trpt mv: rename /var/log/setuid.today to /var/log/setuid.yesterd
