Hi all again, I must add, there are no log entries after June 9, 2004. "LKM" message first apeared June 8, 2004, after this day, there is nothing in /var/messages, /var/security ..... How could I look for suspicious LKM module ? How could I find it, if the machine is hacked and I can not believe "ls", "find" etc. commands ? Peter Rosa
I have on a CD a number of binarys ( sources actually ) ( e.g. ls, find, grep, awk, sed, locate e.t.c. ) and when I belive that a machine has been cracked I remove the network cable from that machine and mount the cdrom build the sources and start looking. If I need something in that process I put it on my USB memstick from a 'trusted machine' and move it by hand over. Roughly speaking this is my process.>On Sat, 12 Jun 2004 13:44:45 +0200 >"Peter Rosa" <prosa@pro.sk> wrote:> Hi all again, > > I must add, there are no log entries after June 9, 2004. "LKM" message first > apeared June 8, 2004, after this day, there is nothing in /var/messages, > /var/security ..... > > How could I look for suspicious LKM module ? How could I find it, if the > machine is hacked and I can not believe "ls", "find" etc. commands ? > > Peter Rosa > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >
On Saturday, 2004-06-12 at 13:44:45 +0200, Peter Rosa wrote:> I must add, there are no log entries after June 9, 2004. "LKM" message first > apeared June 8, 2004, after this day, there is nothing in /var/messages, > /var/security .....Check if your syslog deamon is running. Also try to log something from the command line with logger.> How could I look for suspicious LKM module ? How could I find it, if the > machine is hacked and I can not believe "ls", "find" etc. commands ?Dunno. I've turned off modules on all my FreeBSD machines. IIRC, the way to check binaries is to "make buildworld", install somewhere else and compare. Of course, you should not build on a suspect machine. Have you turned on securelevel? HTH, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas |