have i been hacked?

Remko Lodder remko at elvandar.org
Wed Apr 14 02:48:52 PDT 2004 

Dan Strick wrote:
>>   ...
>>When i got the daily run
>>output i noticed the setuid files have changed. Wondering if this box got
>>hacked and if so where to look to confirm this?
>>   ...
>>
>> Checking setuid files and devices:
>> ls: Terminated
>> : No such file or directory
>>
>> guardian.davemehler.net setuid diffs:
>> 1,52d0
>> < 94240 -r-sr-xr-x  1 root  wheel     448384 Jun  4 21:54:47 2003 /bin/rcp
>>   ...
>>
> 
> The "ls" command the security script uses to discover all of the setuid
> files on your system failed for some unspecified reason and this caused the
> script to think that all the setuid files discovered during the previous
> run of this security script had gone away.  The next time this script
> runs it may well report that these files have reappeared.
> 
> This is probably not evidence that your system was hacked.

Then what does it tell you that happened? When a file appears that is 
rather strange, also notice the size of /bin/rcp

which differs from:

aragorn# ls -l /bin/rcp
-r-sr-xr-x  1 root  wheel  18392 Feb 23 20:41 /bin/rcp

(notice the size!, someone mentioned that already on the list..)

So obviously something weird happened.

I dont do the assumption that you are not hacked, lets assume you are 
hacked.

Take out the harddisk and make a backup of it. Then seal the original 
disk so that you cannot mess that one up.

Do some forensics on the backupped harddisk (not the original!)
For example install chrootkit, to see whether it has a rootkit 
installed, check if you mis anything else. Are there files that you did 
not notice before? What network connections are being made when the host 
reboots. etc. etc.

I Certainly think that it's really weird that a file increased that much 
in size (while my 5.2.1-p4 systems are up2date). I also think that the 
file the security output misses, is strange, i assume that this isn't 
the first day the host is running.

Hope this helps a bit,

Also note that this is my consideration, and may or may not be backupped 
by other persons ;-)

> 
> Dan Strick
> strick at covad.net

-- 

Kind regards,

Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl A Dutch community for helping newcomers on the 
hackerscene

More information about the freebsd-questions mailing list