Security Incidents mailing list archives
Re: I think I've been hacked...please help!
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Mon, 1 Apr 2002 10:45:27 +0200 (CEST)
On Sat, 30 Mar 2002, Joe Warner wrote:
I'm running FreeBSD 4.5-STABLE and I recently noticed some unknown ARP activity on my Cable connection when I wasn't running any programs or even logged into X. I checked all the usual files for modification: /etc/inetd.conf /etc/rc.conf /etc/crontab /usr/local/etc/rc.d/ ..and didn't see anything unusual.
Nice try. But if the rootkit is any good you hve been using the rootkit to find it's presence. And that is something the root kit will hide from you. The fact that you only have ARP request does not mean a thing. And the other attachment is DHCP traffic. Which is propably the way you have configured your internet connection. So this sounds like a hunting ghosts. And snort is NOT the best way to trace traffic. If you suspect your machine is compromised you can not rely on anything at all from that machine! Boot from clean media (CD or write protected floppy) and investigate from there. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- I think I've been hacked...please help! Joe Warner (Mar 31)
- Re: I think I've been hacked...please help! Ryan Russell (Apr 01)
- Re: I think I've been hacked...please help! Crist J. Clark (Apr 01)
- Re: I think I've been hacked...please help! Hugo van der Kooij (Apr 01)
- Message not available
- Re: I think I've been hacked...please help! Joe Warner (Apr 01)
- <Possible follow-ups>
- RE: I think I've been hacked...please help! Arnold, Jamie (Apr 08)
- RE: I think I've been hacked...please help! H C (Apr 09)
- RE: I think I've been hacked...please help! Pepijn Vissers (Apr 09)
- RE: I think I've been hacked...please help! KoRe MeLtDoWn (Apr 09)
- RE: I think I've been hacked...please help! H C (Apr 09)
- RE: I think I've been hacked...please help! Arnold, Jamie (Apr 09)
- RE: I think I've been hacked...please help! H C (Apr 09)