From owner-freebsd-questions Wed Apr 4 11:48:50 2001 Delivered-To: freebsd-questions@freebsd.org Received: from emaginet.com (london.emaginet.com [63.65.80.130]) by hub.freebsd.org (Postfix) with ESMTP id 7E5B037B71C for ; Wed, 4 Apr 2001 11:48:47 -0700 (PDT) (envelope-from ggeisbert@e-centives.com) Received: from latest.bethesda.emaginet.com (latest.bethesda.emaginet.com [172.16.0.69]) by emaginet.com (8.9.3/8.9.0) with ESMTP id OAA00403; Wed, 4 Apr 2001 14:43:18 -0400 Received: from ecexchange.bethesda.emaginet.com (ecexchange.bethesda.emaginet.com [172.16.60.65]) by latest.bethesda.emaginet.com (8.9.0/8.9.0) with ESMTP id OAA10995; Wed, 4 Apr 2001 14:56:02 -0400 Received: by ecexchange.bethesda.emaginet.com with Internet Mail Service (5.5.2653.19) id ; Wed, 4 Apr 2001 14:49:52 -0400 Received: from fbsd.bethesda.emaginet.com ([172.16.4.93]) by ecexchange.bethesda.emaginet.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H1G182GQ; Wed, 4 Apr 2001 14:49:44 -0400 From: Gary Geisbert To: Jon Rust Cc: freebsd-questions@freebsd.org Subject: Re: 4.2S compromised: what now? Date: Wed, 4 Apr 2001 10:49:08 -0400 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="us-ascii" References: <20010404102928.A23357@mail.vcnet.com> <01040409504704.40117@fbsd.bethesda.emaginet.com> <20010404114217.B23357@mail.vcnet.com> In-Reply-To: <20010404114217.B23357@mail.vcnet.com> MIME-Version: 1.0 Message-Id: <01040410490806.40117@fbsd.bethesda.emaginet.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wednesday 04 April 2001 14:42, Jon Rust wrote: > > She has no other accounts on the network. The system was apparently > broken into before I was running 4.2-S... probably 4.1.1-S from Oct 19. > Telnet was allowed, but she only accessed it from our LAN. This machine is it possible that someone had a sniffer running on your LAN? Do you have remote users via a VPN? I've seen remote machines be compromised, and people use them as entrypoints into a firewalled network (*waves to AOL*) > DNS set-up.) Speaking of which, didn't openssh have an exploit a few > months ago? Maybe that was how they got in? It's very possible.. If my memory serves, OpenSSH < 2.3.0 was remotely exploitable. > > jon I hate it when people say things like this after the fact, but you may want to setup an IDS box on your internal network. I've had good luck with snort.. as always, ymmv :-\ Good luck, // Gary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message