netbsd-help: system possibly compromised

Subject: system possibly compromised
To: None <netbsd-help@netbsd.org>
From: Roger Fischer <rgfisch@excite.com>
List: netbsd-help
Date: 02/24/2004 11:31:52
How can I determine if a root-kit has been installed or my system has been
compromised in some other way?
My ISP  sent me an email about spam comming from my IP address, and I also got
some emails about mail that could not be delivered (that I had not sent).

My ipf firewall only has ports 22 and 25 open.
The processes that have me concerned are:

    13252   296   296 9a1f80    0 I    ??   0:00.01 /USR/SBIN/CRON (cron)
    13255 13252 13255 a10180    0 ZW   ??   0:00.00 (sh)
    13266 13252   296 9a1f80    0 I    ??   0:00.07 sendmail -FCronDaemon -odi -oem -oi -or0s -t
    13268 13266   296 9a1f80    0 I    ??   0:00.05 postdrop process_name

When I try to kill 13255 or 13266 I get a message that the process does not exist.
I finally killed 13252 which killed the rest.

I did a find looking for a CRON (in caps) and turned up nothing.
I've looked for hidden directories and haven't found anything.

If somebody has been in here, what's the best way to recover?
NetBSD 1.6.1, i386.  Full process list is below.

thanks,
       - rgf
=================

# ps -jax
USER      PID  PPID  PGID   SESS JOBC STAT TT      TIME COMMAND
root        0     0     0 6841c0    0 DKs  ??   0:03.08 [swapper]
root        1     0     1 8bc940    0 Ss   ??   0:00.21 init
root        2     0     0 6841c0    0 DK   ??   0:01.99 [pagedaemon]
root        3     0     0 6841c0    0 DK   ??   0:51.95 [reaper]
root        4     0     0 6841c0    0 DK   ??  24:39.88 [ioflush]
root        5     0     0 6841c0    0 DK   ??   0:04.26 [aiodoned]
root       85     1    85 8bc000    0 Ss   ??   0:11.82 /sbin/dhclient ne2
root      109     1   109 958c00    0 Ss   ??   0:57.63 /usr/sbin/syslogd -s
root      113     1   113 958580    0 Ss   ??   3:15.30 /usr/sbin/ipmon -ns -D
root      122     1   122 8bc1c0    0 Ss   ??   1:17.20 /usr/sbin/named /etc/namedb/named.conf
root      183     1   183 9581c0    0 S<s  ??   2:14.93 /usr/sbin/ntpd
root      212     1   212 98f8c0    0 Ss   ??   0:25.51 /usr/pkg/sbin/sshd
root      284     1   284 98fa00    0 Ss   ??   0:00.86 /usr/sbin/inetd -l
root      296     1   296 9a1f80    0 Ss   ??   0:12.49 /usr/sbin/cron
root    13252   296   296 9a1f80    0 I    ??   0:00.01 /USR/SBIN/CRON (cron)
root    13255 13252 13255 a10180    0 ZW   ??   0:00.00 (sh)
root    13266 13252   296 9a1f80    0 I    ??   0:00.07 sendmail -FCronDaemon -odi -oem -oi -or0s -t
root    13268 13266   296 9a1f80    0 I    ??   0:00.05 postdrop process_name
postfix 14579 24189 24189 98f300    0 S    ??   0:00.12 pickup -l -t fifo -u
root    14617   212 14617 988ec0    0 Ss   ??   0:00.22 sshd: admin [priv]
admin   14619 14617 14617 988ec0    0 S    ??   0:00.21 sshd: admin@ttyp0
root    24189     1 24189 98f300    0 Ss   ??   0:20.21 /usr/pkg/libexec/postfix/master
postfix 24191 24189 24189 98f300    0 S    ??   0:17.94 qmgr -l -t fifo -u
root    12201     1 12196 98f480    0 S    p0-  0:43.90 /usr/pkg/bin/perl -w /usr/pkg/sbin/ddclient
admin   14620 14619 14620 a02380    0 Ss   p0   0:00.14 -bash
root    14624 14620 14624 a02380    1 S    p0   0:00.19 -csh
root    14635 14624 14635 a02380    1 R+   p0   0:00.00 ps -jax
root     7138     1  7138 988580    0 IWs+ E0   0:00.00 /usr/libexec/getty Pc console
#





_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!