Have I been hacked?
Ken Ebling
deevil at deevil.homeunix.org
Mon Jun 9 18:32:21 PDT 2003
I'm noticing something strange on two of my machines.. They're both
4.7-RELEASE-p3 i386 and they've both been up 150 days without any
problems...
/var/log/messages on each system contains only:
Jun 9 12:00:01 in newsyslog[60291]: logfile turned over
dmesg's output is truncated.. it periodically changes, but currently
it reads:
ite.net host=6532251hfc207.tampabay.rr.com [65.32.251.207]
What's really weird, is yesterday the messages file also only contained
the line about the log being turned over, but today I unzipped
messages.0 and it had entries for yesterday. I'm going to check
messages.0 again after midnight and see if any of today's entries are
there.
Hindsight is always 20/20, and now I wish I had tripwire or aide
installed. =/
I rebooted one of the machines, and now it seems to be acting normal
again..
I going to rebuild world on all my systems and install tripwire
anyways, but I'm kind of curious as to whether my machines have been
rooted or not. I don't know if chkrootkit v0.40 is very accurate or
even worthwhile, but it reported no problems. I also checked for
standard stuff like suid binaries and accounts with a uid of 0.
Nothing looks out of place, aside from the messages file being empty
and suddenly filling with data before newsyslog gzips it.
Any thoughts would be greatly appreciated,
Ken Ebling
More information about the freebsd-security
mailing list