From owner-freebsd-security  Mon Jul 28 16:15:29 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id QAA10952
          for security-outgoing; Mon, 28 Jul 1997 16:15:29 -0700 (PDT)
Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA10942
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 16:15:21 -0700 (PDT)
Received: from localhost (vince@localhost)
	by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id QAA06831;
	Mon, 28 Jul 1997 16:15:14 -0700 (PDT)
Date: Mon, 28 Jul 1997 16:15:13 -0700 (PDT)
From: Vincent Poy <vince@mail.MCESTATE.COM>
To: "Jordan K. Hubbard" <jkh@time.cdrom.com>
cc: security@FreeBSD.ORG, "[Mario1-]" <mario1@PrimeNet.Com>,
        JbHunt <johnnyu@accessus.net>
Subject: Re: security hole in FreeBSD 
In-Reply-To: <4908.870127835@time.cdrom.com>
Message-ID: <Pine.BSF.3.95.970728161113.3844t-100000@mail.MCESTATE.COM>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, Jordan K. Hubbard wrote:

=)I think you are describing the symptom, not the problem.
=)
=)This looks very much like a system which was broken into and then
=)trojan'd to allow easier, more invisible access.  How do you know,
=)for example, that your telnetd is really telnetd?  Did you verify that? ;)

	Well, because I connect to the system using telnet ;)  Also, this
guy has been known to break in to machines
(theca@wil-de7-10.ix.netcom.com).  This is the person who also hacked
irc.hardlink.com. I think this person goes around hacking machine after
machine, and nobody does anything about it. 


=)Also, I'd check that inetd.conf file again and make _really sure_ you
=)haven't left remote shell access enabled - a lot of people miss that
=)because it's not explicitly labelled "rlogin" like they might expect.

	I checked and disabled everything except telnetd in
/etc/inetd.conf and rebooted the machine and then he kicked all of us who
are admins out and shutdown the system.


Cheers,
Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]