Did i get hacked?

From: mario (mario_at_schmut.com)
Date: 05/02/03

  • Next message: mario: "Re: Did i get hacked?"
    Date: Fri, 2 May 2003 12:14:38 -0700 (PDT)
    To: <freebsd-security@freebsd.org>
    
    

    hello,
    i have a FreeBSD 4.8-PRERELEASE #0 that i use as a gateway / nat box for
    my home.
    It also acts as a dns / mail server to the outside world.
    I'm using ipf and basically filter for bogus networks on the way in and out.
    I allow everything out keeping state,
    and allow this in:
    pass in proto icmp from any to any icmp-type squench group 200
    pass in proto icmp from any to any icmp-type timex group 200
    pass in proto icmp from any to any icmp-type paramprob group 200
    pass in quick proto tcp from any port > 1023 to any port = smtp group 200
    pass in quick proto udp from any port > 1023 to any port = domain group 200

    on these ports i run qmail and tinydns

    i was a bit sloppy by leaving these w/out a password
    figuring they can't login anyway.

    gtinydns::nnnn:nnnn::0:0:tinydns:/nonexistent:/sbin/nologin
    gdnslog::nnnn:nnnn::0:0:dns logger:/nonexistent:/sbin/nologin
    gaxfrdns::nnnn:nnnn::0:0:zone transfer:/nonexistent:/sbin/nologin

    I've changed this now though i'm still not sure about the implications of
    this.
    Also i'm not running tripwire or any other intrusion detection.

    Here's my problem. When i got up this morning, i noticed that the box
    rebooted
    at 0:32 this morning. I have 3 other computers that did not reboot leaving me
    to believe there was no power failure. I looked through all the logs seeking
    clues as to what happened. Hardware failure? It is an old p-75 and the hard
    drive has had issues in udma-2 but has been doing fine for months in pio4
    mode.
    I also have a cron job at 0:30 to move the apache logs to a tmp file restart
    apache sleep 5 minutes and then move the tmp file somewhere where newsyslog
    can catch it. According to the logs, apache restarted fine but the tmp files
    never made it anywhere. Again nothing useful in them either.

    So if this was a hardware failure (harddrive), then any kernel panic
    statements probably would not make it to the harddrive. So it would be
    hard to tell. My question is, what if i got hacked? Would there be anyway
    to find out despite me being totally unprepared for this?

    That question really messes with my head.
    Any pointer and/or clue stick treatments would be greatly appreciated.

    thanx

    mario;>

    ---------------------
    Do you schmut!?
    http://www.schmut.com

    For a real web site try:
    House Of Sites
    http://www.HouseOfSites.net
    Email: mario@HouseOfSites.net

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: mario: "Re: Did i get hacked?"

    Relevant Pages

    • Re: Did i get hacked?
      ... You said you did not find anything in the logs, ... I have 3 other computers that did not reboot ... > I also have a cron job at 0:30 to move the apache logs to a tmp file ...
      (FreeBSD-Security)
    • kmail- cannot start process pop3
      ... In checking the logs, I found ... that yum had installed exim and that messed everything up. ... I read my mail on the same computer that the mail server runs on. ... When I start kmail, it posts an error dialog: ...
      (Fedora)
    • Random crash and/or reboots
      ... Mail server: 4.8-RELEASE-p3 ... There are no indications of anything in the logs, ... bright bold) "lockmgr locking against myself" -- or close to that. ... Then, on this list, I saw the thread about other having mysterious reboots ...
      (freebsd-questions)
    • Re: spam alert - tealaden.com
      ... I have a spam e-mail. ... mail server, one to the mail server at Panix. ... federally funded computer security centers that help map and process ... In short, yes, I can gain access to the actual logs. ...
      (rec.food.drink.tea)
    • Re: Best Outgoing Mail, Via DNS or ISP SMTP?
      ... so I get a nice big fat comfort zone. ... Except for the lack of comfort inherent in forcing a mail server to act like a POP client :-) ... A smarthost would just have sat on the test email, ... own mail server would have done that, but I had access to its logs. ...
      (microsoft.public.windows.server.sbs)