have i been hacked?
Luke Kearney
lukek at meibin.net
Tue Apr 13 22:53:57 PDT 2004
On Wed, 14 Apr 2004 00:51:06 -0400
"dave" <dmehler26 at woh.rr.com> granted us these pearls of wisdom:
> Hello,
> Wondering if a system on my network has been hacked? At approx 12:30
> this evening the hard disk went crazy, i have been out of town lately and
> have not checked any of the machines, when i did the CPU usage was at 15%
> which on this machine it never gets above 1 maybe 1.5. So i looked, and i
> had nearly 150 processes on the box, 9 running. When i got the daily run
> output i noticed the setuid files have changed. Wondering if this box got
> hacked and if so where to look to confirm this? And if so, what to do?
> Thanks.
> Dave.
>
>
> Checking setuid files and devices:
> ls: Terminated
> : No such file or directory
>
> guardian.davemehler.net setuid diffs:
> 1,52d0
> < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp
> < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003
> /sbin/mksnap_ffs
> < 117826 -r-sr-xr-x 1 root wheel 451668 Jun 4 21:55:43 2003
> /sbin/ping
> < 117827 -r-sr-xr-x 1 root wheel 463444 Jun 4 21:55:43 2003
> /sbin/ping6
> < 117839 -r-sr-x--- 1 root operator 431052 Jun 4 21:55:46 2003
> /sbin/shutdown
> < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003
> /usr/bin/at
> < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003
> /usr/bin/atq
> < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003
> /usr/bin/atrm
> < 94338 -r-sr-xr-x 4 root wheel 21608 Jun 4 21:56:31 2003
> /usr/bin/batch
> < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003
> /usr/bin/chfn
> < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003
> /usr/bin/chpass
> < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003
> /usr/bin/chsh
> < 94553 -r-sr-xr-x 1 root wheel 27072 Jun 4 21:56:56 2003
> /usr/bin/crontab
> < 94384 -r-xr-sr-x 1 root kmem 15416 Jun 4 21:56:35 2003
> /usr/bin/fstat
> < 94419 -r-sr-xr-x 1 root wheel 7804 Jun 4 21:56:39 2003
> /usr/bin/lock
> < 94422 -r-sr-xr-x 1 root wheel 18944 Jun 4 21:56:39 2003
> /usr/bin/login
> < 94560 -r-sr-sr-x 1 root daemon 25344 Jun 4 21:57:13 2003
> /usr/bin/lpq.bak
> < 94561 -r-sr-sr-x 1 root daemon 29216 Jun 4 21:57:14 2003
> /usr/bin/lpr.bak
> < 94562 -r-sr-sr-x 1 root daemon 24108 Jun 4 21:57:14 2003
> /usr/bin/lprm.bak
> < 94441 -r-xr-sr-x 1 root kmem 100776 Jun 4 21:56:41 2003
> /usr/bin/netstat
> < 94448 -r-sr-xr-x 1 root wheel 4452 Jun 4 21:56:41 2003
> /usr/bin/opieinfo
> < 94450 -r-sr-xr-x 1 root wheel 11612 Jun 4 21:56:42 2003
> /usr/bin/opiepasswd
> < 94452 -r-sr-xr-x 2 root wheel 5920 Jun 4 21:56:42 2003
> /usr/bin/passwd
> < 94458 -r-sr-xr-x 1 root wheel 11584 Jun 4 21:56:42 2003
> /usr/bin/quota
> < 94461 -r-sr-xr-x 1 root wheel 11008 Jun 4 21:56:42 2003
> /usr/bin/rlogin
> < 94465 -r-sr-xr-x 1 root wheel 8564 Jun 4 21:56:43 2003 /usr/bin/rsh
> < 94478 -r-sr-xr-x 1 root wheel 12308 Jun 4 21:56:44 2003 /usr/bin/su
> < 94517 -r-xr-sr-x 1 root kmem 15532 Jun 4 21:56:48 2003
> /usr/bin/vmstat
> < 94519 -r-xr-sr-x 1 root tty 10516 Jun 4 21:56:48 2003
> /usr/bin/wall
> < 94527 -r-xr-sr-x 1 root tty 8100 Jun 4 21:56:49 2003
> /usr/bin/write
> < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003
> /usr/bin/ypchfn
> < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003
> /usr/bin/ypchpass
> < 94353 -r-sr-xr-x 6 root wheel 17892 Jun 4 21:56:32 2003
> /usr/bin/ypchsh
> < 94452 -r-sr-xr-x 2 root wheel 5920 Jun 4 21:56:42 2003
> /usr/bin/yppasswd
> < 96169 -r-sr-xr-x 1 root wheel 3540 Jun 4 21:55:29 2003
> /usr/libexec/pt_chown
> < 96150 -r-xr-sr-x 1 root smmsp 629176 Jun 4 21:57:15 2003
> /usr/libexec/sendmail/sendmail
> < 108075 -rwsr-xr-x 1 root daemon 8624 Dec 21 18:00:36 2003
> /usr/local/bin/lppasswd
> < 73521 -rwsr-xr-x 1 root wheel 285508 May 23 09:27:21 2003
> /usr/local/bin/screen
> < 72487 -rws--x--x 1 root wheel 741976 May 23 11:00:24 2003
> /usr/local/bin/sperl5.6.1
> < 78399 ---s--x--x 1 root wheel 86484 May 23 11:56:11 2003
> /usr/local/bin/sudo
> < 77227 -rwxr-sr-x 1 root maildrop 108333 Aug 25 02:17:22 2003
> /usr/local/sbin/postdrop
> < 77253 -rwxr-sr-x 1 root maildrop 97362 Aug 25 02:17:23 2003
> /usr/local/sbin/postqueue
> < 96371 -r-xr-sr-x 1 root daemon 45704 Jun 4 21:57:13 2003
> /usr/sbin/lpc
> < 96274 -r-sr-xr-x 1 root wheel 22448 Jun 4 21:57:00 2003
> /usr/sbin/mrinfo
> < 96276 -r-sr-xr-x 1 root wheel 31956 Jun 4 21:57:00 2003
> /usr/sbin/mtrace
> < 96418 -r-sr-xr-- 1 root network 367336 Jun 4 21:57:04 2003
> /usr/sbin/ppp
> < 96419 -r-sr-x--- 1 root dialer 106692 Jun 4 21:57:05 2003
> /usr/sbin/pppd
> < 96328 -r-sr-x--- 1 root network 14516 Jun 4 21:57:07 2003
> /usr/sbin/sliplogin
> < 96337 -r-sr-xr-x 1 root wheel 16288 Jun 4 21:57:09 2003
> /usr/sbin/timedc
> < 96338 -r-sr-xr-x 1 root wheel 23392 Jun 4 21:57:09 2003
> /usr/sbin/traceroute
> < 96339 -r-sr-xr-x 1 root wheel 16788 Jun 4 21:57:09 2003
> /usr/sbin/traceroute6
> < 96340 -r-xr-sr-x 1 root kmem 8512 Jun 4 21:57:09 2003
> /usr/sbin/trpt
> mv: rename /var/log/setuid.today to /var/log/setuid.yesterday: No such file
> or directory
>
> Checking for uids of 0:
> root 0
> toor 0
>
> Checking for passwordless accounts:
>
> guardian.davemehler.net login failures:
>
> guardian.davemehler.net refused connections:
>
> -- End of security output --
Hi,
My first suggestion is to have a look at what services are running that
shouldn't be. A hacked box is not much use to anyone if they cannot use
it. Try sockstat -4 and see if there are unusual ( unusual for this box )
services running such as iirc related services. Take a look at your mail
logs and see if there is unusual mail traffic.
If the attacker is still logged in ( probably unlikely ) you might get a
hint from netstat -NA |grep ESTABLISHED
HTH
LukeK
More information about the freebsd-questions
mailing list