have i been hacked?
Clint Gilders
techservices at onlinehobbyist.com
Wed Apr 14 07:23:52 PDT 2004
>> I had someone get into one of my machines when I stupidly left telnet
>> running and an email from the system much like yours was what first
>> alerted me to it. The kiddie had installed a new ls which didn't
>> allow any switches. I imagine '-l' is needed for the suid check, so
>> it fails and reports all the files as changing. I ran chkrootkit and
>> it turned up nothing. The kiddie had also replaced several other
>> programs (login and ps were among them) and turned off syslog. I'm
>> lucky to have several other systems, so i was able to copy over known
>> original versions of the system tools that were changed and get the
>> machine secured before moving all the accounts and reinstalling.
>>
>
> Bad move, backup important data and reinstall your host, you cannot tell
> which applications are affected or not (just spotted the obvious ones).
>
> If you intend to keep it running, well thats a security incident imho.
>
> Please consider it.
I think you misread my message. Did "moving all the accounts and
reinstalling" imply that I didn't do a reinstall? I simply copied over
known original programs so I could make my backup and do some postmortem
before reinstalling the system. As you say, who knows what other
program were changed. I wanted to use known good binaries.
--
Clint Gilders <techservices at onlinehobbyist.com>
Director of Technology Services
OnlineHobbyist.com, Inc.
More information about the freebsd-questions
mailing list