OpenBSD 6.7-stable macppc hacked?

Riccardo Giuntoli Tue, 16 Feb 2021 01:17:59 -0800

Hi there I've got a strange process that spawn from init in the environment
above. No network traffic. Look ahead:


 |-+= 51452 root login -p -- \^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7
 | \--- 73422 root passwd -v login=yes -s login --
\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7~\^[[7 default (login_passwd)

They depend directly from init.

taglio@cyberanarkhia:/sbin$ ls -al init



-r-xr-xr-x  1 root  bin  345348 Nov 25 19:39 init*
taglio@cyberanarkhia:/sbin$

taglio@cyberanarkhia:/sbin$ md5 init



MD5 (init) = 0fbb14ece72860443abe2c2ddb2ae96a
taglio@cyberanarkhia:/sbin$

[ using 1142476 bytes of bsd ELF symbol table ]
console out [NVDA,Display-B] console in [keyboard], using USB
using parent NVDA,Parent:: memaddr 98000000, size 8000000 : consaddr
98004000 : ioaddr 91000000, size 1000000: width 1280 linebytes 1536 height
1024 depth 8
Copyright (c) 1982, 1986, 1989, 1991, 1993
        The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2020 OpenBSD. All rights reserved.
https://www.OpenBSD.org

OpenBSD 6.7-stable (GENERIC.MP) #1: Mon Dec 21 08:42:13 CET 2020
    [email protected]:/sys/arch/macppc/compile/
GENERIC.MP

root@cyberanarkhia:/usr/libexec/auth# ls -al
total 388
drwxr-x---  2 root  auth       512 Nov 25 19:39 ./
drwxr-xr-x  6 root  wheel     1024 Dec 22 18:54 ../
-r-xr-sr-x  4 root  _token   21900 Nov 25 19:39 login_activ*
-r-sr-xr-x  1 root  auth      9340 Nov 25 19:39 login_chpass*
-r-xr-sr-x  4 root  _token   21900 Nov 25 19:39 login_crypto*
-r-sr-xr-x  1 root  auth     17688 Nov 25 19:39 login_lchpass*
-r-sr-xr-x  1 root  auth      9340 Nov 25 19:39 login_passwd*
-r-xr-sr-x  1 root  _radius  17628 Nov 25 19:39 login_radius*
-r-xr-xr-x  1 root  auth      9340 Nov 25 19:39 login_reject*
-r-xr-sr-x  1 root  auth     13480 Nov 25 19:39 login_skey*
-r-xr-sr-x  4 root  _token   21900 Nov 25 19:39 login_snk*
-r-xr-sr-x  4 root  _token   21900 Nov 25 19:39 login_token*
-r-xr-sr-x  1 root  auth     21628 Nov 25 19:39 login_yubikey*
root@cyberanarkhia:/usr/libexec/auth#

root@cyberanarkhia:/usr/libexec/auth# md5 login_passwd



MD5 (login_passwd) = 17ed9f36a170b5614de566f71768e753
root@cyberanarkhia:/usr/libexec/auth#

root     login      39663 text /usr        52236  -r-xr-xr-x     r    25824
root     login      39663   wd /               2  drwxr-xr-x     r     1024
root     login      39663    0 /             741  crw-------    rw    ttyC0
root     login      39663    1 /             741  crw-------    rw    ttyC0
root     login      39663    2 /             741  crw-------    rw    ttyC0
root     login      39663    3* unix stream 0x325e9a08 <-> 0x325e90a8
root     login_passwd 50752 text /usr        78065  -r-sr-xr-x     r
9340
root     login_passwd 50752   wd /home     4595712  drwxr-xr-x     r
1536
root     login_passwd 50752    0 /             564  crw--w----    rw
 ttyp1
root     login_passwd 50752    1 /             564  crw--w----    rw
 ttyp1
root     login_passwd 50752    2 /             564  crw--w----    rw
 ttyp1
root     login_passwd 50752    3* unix stream 0x325e9468 <-> 0x325e9968
root     login_passwd 50752    4 /            1090  crw-rw-rw-   rwp
 tty

Any suggestions?

Nice regards,

RG
-- 
Name: Riccardo Giuntoli
Email: [email protected]
Location: sant Pere de Ribes, BCN, Spain
PGP Key: 0x67123739
PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
Key server: hkp://wwwkeys.eu.pgp.net

OpenBSD 6.7-stable macppc hacked?

Reply via email to