Hacked?
Mikko Työläjärvi
mbsd at pacbell.net
Sun May 11 13:19:49 PDT 2003
On Sun, 11 May 2003, Blaine Kahle wrote:
> On Fri, May 09, 2003 at 11:01:21AM -0600, Brett Glass wrote:
> > At 08:25 AM 5/9/2003, Bjoern A. Zeeb wrote:
> >
> > >this asumes that truss is ok ;-) perhaps take the truss from your
> > >other 4.7 machine ...
> >
> > Yes, you do have to be careful of this. I recently investigated a
> > machine that had been "owned," and when truss was applied to some
> > commands (e.g. netstat) it produced no output.
>
> I'm showing that truss'ing netstat produces no output on several
> versions of FreeBSD that I have installed. Is this correct behavior? The
> truss and netstat binaries both check out when compared to the listings
> at http://www.knowngoods.org/
You can't trace setuid/setgid programs. Netstat is setgid kmem.
If you really need to truss it, make a copy and run it as a user
with the requisite privileges (or root).
$.02,
/Mikko
More information about the freebsd-security
mailing list