Re: I think I've been hacked...please help!

[Hugo van der Kooij <hvdkooij () vanderkooij org>]

On Sat, 30 Mar 2002, Joe Warner wrote:

> I'm running FreeBSD 4.5-STABLE and I recently noticed some
> unknown ARP activity on my Cable connection when I wasn't
> running any programs or even logged into X.
>
> I checked all the usual files for modification:
>
> /etc/inetd.conf
> /etc/rc.conf
> /etc/crontab
> /usr/local/etc/rc.d/
>
> ..and didn't see anything unusual.

Nice try. But if the rootkit is any good you hve been using the rootkit to 
find it's presence. And that is something the root kit will hide from you.

The fact that you only have ARP request does not mean a thing. And the 
other attachment is DHCP traffic. Which is propably the way you have 
configured your internet connection.

So this sounds like a hunting ghosts. And snort is NOT the best way to 
trace traffic.

If you suspect your machine is compromised you can not rely on anything at 
all from that machine! Boot from clean media (CD or write protected 
floppy) and investigate from there.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com