----- Original Message ----- From: "dave" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 13, 2004 11:51 PM Subject: have i been hacked?
> Hello, > Wondering if a system on my network has been hacked? At approx 12:30 > this evening the hard disk went crazy, i have been out of town lately and > have not checked any of the machines, when i did the CPU usage was at 15% > which on this machine it never gets above 1 maybe 1.5. So i looked, and i > had nearly 150 processes on the box, 9 running. When i got the daily run > output i noticed the setuid files have changed. Wondering if this box got > hacked and if so where to look to confirm this? And if so, what to do? > Thanks. > Dave. > > > Checking setuid files and devices: > ls: Terminated > : No such file or directory > > guardian.davemehler.net setuid diffs: > 1,52d0 > < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp > < 117807 -r-sr-x--- 1 root operator 421832 Jun 4 21:55:39 2003 Compared to my 4.9 systems, your rcp is nearly twice the size as it should be. -r-sr-xr-x 1 root wheel 251444 Apr 9 12:05 rcp You didn't say which version you were running but if it's a 4.x, then I'd say you've got a serious issue here. If you're running 5.x then I can't say. -- Micheal Patterson Network Administration TSG Incorporated 405-917-0600 _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"