have i been hacked?
Micheal Patterson
micheal at tsgincorporated.com
Tue Apr 13 22:29:05 PDT 2004
----- Original Message -----
From: "dave" <dmehler26 at woh.rr.com>
To: <freebsd-questions at freebsd.org>
Sent: Tuesday, April 13, 2004 11:51 PM
Subject: have i been hacked?
> Hello,
> Wondering if a system on my network has been hacked? At approx 12:30
> this evening the hard disk went crazy, i have been out of town lately and
> have not checked any of the machines, when i did the CPU usage was at 15%
> which on this machine it never gets above 1 maybe 1.5. So i looked, and i
> had nearly 150 processes on the box, 9 running. When i got the daily run
> output i noticed the setuid files have changed. Wondering if this box got
> hacked and if so where to look to confirm this? And if so, what to do?
> Thanks.
> Dave.
>
>
> Checking setuid files and devices:
> ls: Terminated
> : No such file or directory
>
> guardian.davemehler.net setuid diffs:
> 1,52d0
> < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp
> < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003
Compared to my 4.9 systems, your rcp is nearly twice the size as it should
be.
-r-sr-xr-x 1 root wheel 251444 Apr 9 12:05 rcp
You didn't say which version you were running but if it's a 4.x, then I'd
say you've got a serious issue here. If you're running 5.x then I can't say.
--
Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600
More information about the freebsd-questions
mailing list