... When i got the daily run output i noticed the setuid files have changed. Wondering if this box got hacked and if so where to look to confirm this? ...
Checking setuid files and devices: ls: Terminated : No such file or directory
guardian.davemehler.net setuid diffs: 1,52d0 < 94240 -r-sr-xr-x 1 root wheel 448384 Jun 4 21:54:47 2003 /bin/rcp ...
The "ls" command the security script uses to discover all of the setuid files on your system failed for some unspecified reason and this caused the script to think that all the setuid files discovered during the previous run of this security script had gone away. The next time this script runs it may well report that these files have reappeared.
This is probably not evidence that your system was hacked.
Then what does it tell you that happened? When a file appears that is rather strange, also notice the size of /bin/rcp
which differs from:
aragorn# ls -l /bin/rcp -r-sr-xr-x 1 root wheel 18392 Feb 23 20:41 /bin/rcp
(notice the size!, someone mentioned that already on the list..)
So obviously something weird happened.
I dont do the assumption that you are not hacked, lets assume you are hacked.
Take out the harddisk and make a backup of it. Then seal the original disk so that you cannot mess that one up.
Do some forensics on the backupped harddisk (not the original!)
For example install chrootkit, to see whether it has a rootkit installed, check if you mis anything else. Are there files that you did not notice before? What network connections are being made when the host reboots. etc. etc.
I Certainly think that it's really weird that a file increased that much in size (while my 5.2.1-p4 systems are up2date). I also think that the file the security output misses, is strange, i assume that this isn't the first day the host is running.
Hope this helps a bit,
Also note that this is my consideration, and may or may not be backupped by other persons ;-)
Dan Strick [EMAIL PROTECTED]
--
Kind regards,
Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl A Dutch community for helping newcomers on the hackerscene
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
