have i been hacked?
Daniela
dgw at liwest.at
Wed Apr 14 08:14:30 PDT 2004
On Wednesday 14 April 2004 09:48, Remko Lodder wrote:
> Dan Strick wrote:
> >> ...
> >>When i got the daily run
> >>output i noticed the setuid files have changed. Wondering if this box got
> >>hacked and if so where to look to confirm this?
> >> ...
> >>
> >> Checking setuid files and devices:
> >> ls: Terminated
> >>
> >> : No such file or directory
> >>
> >> guardian.davemehler.net setuid diffs:
> >> 1,52d0
> >> < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003
> >> /bin/rcp ...
[...]
> aragorn# ls -l /bin/rcp
> -r-sr-xr-x 1 root wheel 18392 Feb 23 20:41 /bin/rcp
>
> (notice the size!, someone mentioned that already on the list..)
>
> So obviously something weird happened.
That needn't be the case. Mine is 932532 bytes long (and it was already that
size after a fresh reinstall).
And why? Debug symbols. I love to have them everywhere.
Try to strip the file, and it will be much shorter.
Daniela
More information about the freebsd-questions
mailing list