Subject: Re: system possibly compromised
To: Roger Fischer <rgfisch@excite.com>
From: Michal Pasternak <michal@pasternak.w.lub.pl>
List: netbsd-help
Date: 02/24/2004 17:51:49
Roger Fischer [Tue, Feb 24, 2004 at 11:31:52AM -0500]:
> How can I determine if a root-kit has been installed 

security/chkrootkit

Anyway, only script kiddies would use "rootkits".

> or my system has been
> compromised in some other way?

You should ask about it before it got compromised. Some programs to have a
look at are, for example, tripwire. As USB memory keys are common these
days, checksum database on a separate media is quite good option.

> My ISP  sent me an email about spam comming from my IP address, and I also got
> some emails about mail that could not be delivered (that I had not sent).
> My ipf firewall only has ports 22 and 25 open.

... pity you haven't told us what versions of software are you running there.

> The processes that have me concerned are:
> 
>     13252   296   296 9a1f80    0 I    ??   0:00.01 /USR/SBIN/CRON (cron)

Caps seem strange.

Check out for listening sockets using netstat -an | grep LISTEN, for example.

> I did a find looking for a CRON (in caps) and turned up nothing.
> I've looked for hidden directories and haven't found anything.

That's normal - process 13252 changed its name via setproctitle(3). Original
binary was called 'cron'. New one was called '/USR/SBIN/CRON'. See for
yourself (main() { setproctitle("foobar"); sleep(60); })

> If somebody has been in here, what's the best way to recover?

I'd backup user data ASAP and reinstall whole system.

You could of course only backup the data, leave the box running for a few
days and try to log IP of intruders. Contact your local police department if
you find this appropriate.

-- 
Michal Pasternak :: http://pasternak.w.lub.pl :: http://winsrc.sf.net
"There's so much comedy on television. Does that cause comedy in the streets?" 
	-- Dick Cavett