|> From: Jim Mercer [mailto:jim@reptiles.org] |> Sent: Thursday, August 23, 2001 9:39 AM |> my suspicions and some things to look for: |> |> - boxes were comprimised using the buffer overflow in |> telnetd (speculation) |> - my box had a bogus /usr/sbin/nscd (which is not a normal |> FreeBSD binary) |> - nscd appears to be a hacked sshd, listening on a 14000 series port |> - it had its own /etc/ssh_* config files (FreeBSD puts them |> in /etc/ssh/ssh_*) |> - there was a file in /dev/ptaz which appeared to be DES crypto gunge |> - there were a bunch of irc/eggdrop related files in a ".e" |> directory of |> one of the user's $HOME |> |> suggestions for looking about: |> |> - do an ls -lta in bindirs, my systems generally have all |> /bin /usr/bin files |> with the same timestamp |> |> - do a "du /dev" and look for anomalies |> - do a "cd /dev ; ls -l | grep -e-" and look for anomalies |> - do a "ls -ltra /" (as well as /usr and /usr/local) and |> look for anomalies Shorter answer ... run tripwire.