On Thu, 8 Apr 2004, Niels S.Eliasen wrote:

> Have taken ethernet off, done....
> Well... looks the gury have had on h... of a time... the system was
> by-the-looks of it compromised the 22-Jan-2004... at that time the
> accounting file got wiped... and apparently the super user has this
> entry "Charlie &" in the comment filed and daemon has "the devil
> himself" .....
Hmmm...I don't have a NetBSD box handy right now...But I seem to remember
"Charlie" and "The Devil.." being normal on the system.

Check the passwd file for things that are not supposed to have shell
access but do.


>
> ....
> How can I trace this... ???
> The system is offline at the moment... only three users defined on the
> system, primarily used as a web-server...
What Version of Apache?  Check to see if you were using a vulnerable one.
Check the www logs too.

> BTW: I noticed something was wrong as I did a "top" and all of a sudden
> "root" was doing a "make" and sure as ... it was not me!
That is weird.  But check the crontab and check your cgi-bin (if you have
one) to see what is in there and make sure that root doesn't own anything
on your webserver.

>
> How did this guy get in ???
> How to figure out ?
>
Not sure, and I am not even sure if what I am saying will help you at all
:)

But keep poking around...google stuff and let us know...maybe something
will come up.

Just don't re-boot.


> Den 8/4-2004, kl. 21.51, skrev Joe Laffey:
>
> > On Thu, 8 Apr 2004, Niels S.Eliasen wrote:
> >
> >> Someone is in my NetBSD box.......
> >> Password file is busy.....
> >> How do I get this creep out ?
> >
> > Step one, unplug the ethernet immediately.
> >
> > The see how much damage is done. The ONLY 100% safe bet is to
> > completely
> > reinstall.
> >
> > If you have tripwire hashes of all system binaries and everything loks
> > ok
> > then you can be 98% sure it is ok. Otherwise re-install. Bad guys do
> > evil
> > things like modify w, ps, the kernel, netstat, etc to hide themselves
> > (including faking the datae on those files).
> >
> > Good luck,
> >
> >
> > --
> > Joe Laffey              |  Want to convert subnet masks between
> > different
> > LAFFEY Computer Imaging |  notations, or figure the number of IPs in a
> > block?
> > St. Louis, MO           |  Whatmask - It's FREE (GPL) - NEW Version
> > 1.2!
> > USA                     |  http://www.laffeycomputer.com/wm.html
> > -----------------------------------------------------------------------
> > -------
> > Mail here will be rejected  -----> "Sigfried Trap"
> > <s_trap@laffeycomputer.com>
> >
> >
> mvh/kind regards
> Niels S. Eliasen
> H=F8rhavevej 1
> DK-4250, Fuglebjerg
> Tel/Cell: +45 46 32 85 27 +45 21 77 95 90
> mailto:Niels.Eliasen@delfi-konsult.com
>