I think I've been hacked...please help!

From: Joe Warner (rootman22at_private)
Date: Sat Mar 30 2002 - 07:51:27 PST
Next message: Allen Smith: "Re: Email Relay Searches"
Previous message: Kelly Martin: "Odd activity"
Next in thread: Ryan Russell: "Re: I think I've been hacked...please help!"
Reply: Ryan Russell: "Re: I think I've been hacked...please help!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,

I'm running FreeBSD 4.5-STABLE and I recently noticed some
unknown ARP activity on my Cable connection when I wasn't
running any programs or even logged into X.

I checked all the usual files for modification:

/etc/inetd.conf
/etc/rc.conf
/etc/crontab
/usr/local/etc/rc.d/

..and didn't see anything unusual.

netstat -an
sockstat

..didn't reveal anything.

I ran chkrootkit and that didn't turn up anything either.

I am attaching the output of snort -ead so that you can see what I'm
talking about.  If you require more information, please let me know.
I'd really appreciate it if someone could help me figure this out.

Thanks

Joe

--
Concept, n.:
        Any "idea" for which an outside consultant billed you more than
$25,000.




03/30-07:43:32.868036 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:43:41.390466 ARP who-has 12.254.196.215 tell 12.254.196.1

03/30-07:43:44.665318 ARP who-has 12.254.196.215 tell 12.254.196.1

03/30-07:43:46.751207 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:43:52.415207 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:43:54.804992 ARP who-has 12.254.218.38 tell 12.254.218.1

03/30-07:43:55.394226 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:43:57.753384 ARP who-has 12.254.218.38 tell 12.254.218.1

03/30-07:43:57.794876 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:01.402365 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:05.463513 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:05.966696 ARP who-has 12.254.196.21 tell 12.254.196.1

03/30-07:44:08.745901 ARP who-has 12.254.196.21 tell 12.254.196.1

03/30-07:44:12.942038 ARP who-has 12.254.196.21 tell 12.254.196.1

03/30-07:44:13.214069 ARP who-has 12.254.218.92 tell 12.254.218.1

03/30-07:44:14.359635 ARP who-has 12.254.197.86 tell 12.254.196.1

03/30-07:44:15.506589 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:16.035597 ARP who-has 12.254.218.92 tell 12.254.218.1

03/30-07:44:17.288402 ARP who-has 12.254.197.86 tell 12.254.196.1

03/30-07:44:18.923146 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:18.940937 ARP who-has 12.254.196.21 tell 12.254.196.1

03/30-07:44:21.065003 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:22.070863 ARP who-has 12.254.218.92 tell 12.254.218.1

03/30-07:44:22.926730 ARP who-has 12.254.196.21 tell 12.254.196.1

03/30-07:44:23.987135 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:27.889823 ARP who-has 12.254.196.21 tell 12.254.196.1

03/30-07:44:29.987557 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:30.941153 ARP who-has 12.254.196.21 tell 12.254.196.1

03/30-07:44:34.190083 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:37.407636 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:40.261346 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:44.337146 ARP who-has 12.254.197.78 tell 12.254.196.1

03/30-07:44:44.645038 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:47.638655 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:53.652358 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:54.969391 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:44:57.648329 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:44:57.953713 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:45:00.565018 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:03.977000 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:45:04.493559 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:05.343448 ARP who-has 12.254.197.190 tell 12.254.196.1

03/30-07:45:10.036769 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:11.172120 ARP who-has 10.50.120.120 tell 10.50.120.1

03/30-07:45:12.489212 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:14.172762 ARP who-has 10.50.120.120 tell 10.50.120.1

03/30-07:45:15.386142 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:20.333071 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:24.517624 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:30.087950 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:30.604849 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:45:33.083095 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:33.552352 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:45:36.384994 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:39.081830 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:39.588489 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:45:40.425915 ARP who-has 12.254.196.21 tell 12.254.196.1

03/30-07:45:43.435497 ARP who-has 12.254.196.21 tell 12.254.196.1

03/30-07:45:43.994729 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:45:45.268503 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:45.288428 ARP who-has 12.255.16.36 tell 12.255.16.1

03/30-07:45:46.804660 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:45:48.214582 ARP who-has 12.255.16.36 tell 12.255.16.1

03/30-07:45:49.436807 ARP who-has 12.254.196.21 tell 12.254.196.1

03/30-07:45:49.776931 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:45:50.955405 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:52.764978 ARP who-has 12.254.218.127 tell 12.254.218.1

03/30-07:45:53.965649 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:45:54.223303 ARP who-has 12.255.16.36 tell 12.255.16.1

03/30-07:45:54.836632 ARP who-has 12.254.196.164 tell 12.254.196.1

03/30-07:45:55.785715 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:45:55.871981 ARP who-has 12.254.218.127 tell 12.254.218.1

03/30-07:45:56.853428 ARP who-has 12.255.16.36 tell 12.255.16.1

03/30-07:45:57.170431 ARP who-has 12.254.197.232 tell 12.254.196.1

03/30-07:45:57.859370 ARP who-has 12.254.196.164 tell 12.254.196.1

03/30-07:45:58.960271 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:45:59.711572 ARP who-has 12.254.197.232 tell 12.254.196.1

03/30-07:45:59.985432 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:46:01.301854 ARP who-has 12.254.197.90 tell 12.254.196.1

03/30-07:46:01.921423 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:46:02.227024 ARP who-has 12.254.218.127 tell 12.254.218.1

03/30-07:46:03.736137 ARP who-has 12.255.16.36 tell 12.255.16.1

03/30-07:46:03.884590 ARP who-has 12.254.196.164 tell 12.254.196.1

03/30-07:46:06.521673 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:46:06.578251 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:46:08.977544 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:46:10.027586 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:46:11.900832 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:46:12.073428 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:46:14.916423 ARP who-has 12.255.16.36 tell 12.255.16.1

03/30-07:46:15.164418 ARP who-has 12.254.218.127 tell 12.254.218.1

03/30-07:46:15.457694 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:46:15.615623 ARP who-has 10.50.121.178 tell 10.50.120.1

03/30-07:46:15.961050 ARP who-has 12.254.196.164 tell 12.254.196.1

03/30-07:46:16.352632 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:46:17.925297 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:46:18.549523 ARP who-has 10.50.121.178 tell 10.50.120.1

03/30-07:46:19.300125 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:46:20.001540 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:46:24.561832 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:46:25.310286 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:46:27.699625 ARP who-has 12.254.197.122 tell 12.254.196.1

03/30-07:46:28.013033 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:46:30.562901 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:46:30.944859 ARP who-has 12.254.197.122 tell 12.254.196.1

03/30-07:46:33.453990 ARP who-has 12.254.196.157 tell 12.254.196.1

03/30-07:46:33.982614 ARP who-has 12.254.196.198 tell 12.254.196.1



03/30-07:46:21.869285 0:30:80:6E:AC:8C -> FF:FF:FF:FF:FF:FF type:0x800 len:0x176
12.242.19.34:67 -> 255.255.255.255:68 UDP TTL:246 TOS:0x0 ID:15134 IpLen:20 DgmLen:360 DF
Len: 340
02 01 06 00 FF FF 94 8C 00 00 80 00 00 00 00 00  ................
0A 6D 52 D0 0C F2 13 09 0A 6D 52 01 00 20 40 B7  .mR......mR.. @.
94 8C 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 68 73 64 31  ............hsd1
2E 35 4D 2E 63 66 67 00 00 00 00 00 00 00 00 00  .5M.cfg.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63  ............c.Sc
35 01 02 36 04 0C F2 13 22 33 04 00 09 3A 80 01  5..6...."3...:..
04 FF FF FF 00 02 04 00 00 54 60 03 04 0A 6D 52  .........T`...mR
01 04 08 0C F2 13 32 0C F2 13 22 07 04 00 00 00  ......2...".....
00 43 0B 68 73 64 31 2E 35 4D 2E 63 66 67 42 0B  .C.hsd1.5M.cfgB.
31 32 2E 32 34 32 2E 31 39 2E 39 00 00 00 00 00  12.242.19.9.....
00 00 00 00 00 00 00 00 00 00 00 FF              ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-07:46:21.981907 0:30:80:6E:AC:8C -> FF:FF:FF:FF:FF:FF type:0x800 len:0x176
12.242.19.34:67 -> 255.255.255.255:68 UDP TTL:246 TOS:0x0 ID:15135 IpLen:20 DgmLen:360 DF
Len: 340
02 01 06 00 FF FF 94 8C 00 00 80 00 00 00 00 00  ................
0A 6D 52 D0 0C F2 13 09 0A 6D 52 01 00 20 40 B7  .mR......mR.. @.
94 8C 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 68 73 64 31  ............hsd1
2E 35 4D 2E 63 66 67 00 00 00 00 00 00 00 00 00  .5M.cfg.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63  ............c.Sc
35 01 05 36 04 0C F2 13 22 33 04 00 09 3A 80 01  5..6...."3...:..
04 FF FF FF 00 02 04 00 00 54 60 03 04 0A 6D 52  .........T`...mR
01 04 08 0C F2 13 32 0C F2 13 22 07 04 00 00 00  ......2...".....
00 43 0B 68 73 64 31 2E 35 4D 2E 63 66 67 42 0B  .C.hsd1.5M.cfgB.
31 32 2E 32 34 32 2E 31 39 2E 39 00 00 00 00 00  12.242.19.9.....
00 00 00 00 00 00 00 00 00 00 00 FF              ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Allen Smith: "Re: Email Relay Searches"
Previous message: Kelly Martin: "Odd activity"
Next in thread: Ryan Russell: "Re: I think I've been hacked...please help!"
Reply: Ryan Russell: "Re: I think I've been hacked...please help!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Sun Mar 31 2002 - 21:47:49 PST