Have I been hacked?
fasty
fasty at i-sphere.com
Mon Jun 9 20:05:09 PDT 2003
Ohh you need update your Freebsd source and rebuild. Because there have patch 10.
I noticed your FreeBSD 4.7-RELEASE-p3 compare mine FreeBSD 4.7-RELEASE-p10
-fasty
On Mon, Jun 09, 2003 at 09:32:14PM -0400, Ken Ebling wrote:
> I'm noticing something strange on two of my machines.. They're both
> 4.7-RELEASE-p3 i386 and they've both been up 150 days without any
> problems...
>
> /var/log/messages on each system contains only:
> Jun 9 12:00:01 in newsyslog[60291]: logfile turned over
>
> dmesg's output is truncated.. it periodically changes, but currently
> it reads:
> ite.net host=6532251hfc207.tampabay.rr.com [65.32.251.207]
>
> What's really weird, is yesterday the messages file also only contained
> the line about the log being turned over, but today I unzipped
> messages.0 and it had entries for yesterday. I'm going to check
> messages.0 again after midnight and see if any of today's entries are
> there.
>
> Hindsight is always 20/20, and now I wish I had tripwire or aide
> installed. =/
>
> I rebooted one of the machines, and now it seems to be acting normal
> again..
>
> I going to rebuild world on all my systems and install tripwire
> anyways, but I'm kind of curious as to whether my machines have been
> rooted or not. I don't know if chkrootkit v0.40 is very accurate or
> even worthwhile, but it reported no problems. I also checked for
> standard stuff like suid binaries and accounts with a uid of 0.
> Nothing looks out of place, aside from the messages file being empty
> and suddenly filling with data before newsyslog gzips it.
>
> Any thoughts would be greatly appreciated,
>
> Ken Ebling
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list