From owner-freebsd-questions Sat Sep 22 19:42: 0 2001 Delivered-To: freebsd-questions@freebsd.org Received: from switchblade.cyberpunkz.org (switchblade.cyberpunkz.org [198.174.169.125]) by hub.freebsd.org (Postfix) with ESMTP id B62B237B40E for ; Sat, 22 Sep 2001 19:41:51 -0700 (PDT) Received: (from rob@localhost) by switchblade.cyberpunkz.org (8.11.6/CpA-TLS1.2) id f8N2fa202903; Sat, 22 Sep 2001 21:41:36 -0500 (CDT) (envelope-from rob) Posted-Date: Sat, 22 Sep 2001 21:41:36 -0500 (CDT) Date: Sat, 22 Sep 2001 21:41:36 -0500 From: Rob Andrews To: jason Cc: Rob , ybbor@freedom.net, freebsd-questions@FreeBSD.ORG Subject: Re: Freebsd being hacked Message-ID: <20010922214136.B9739@switchblade.cyberpunkz.org> References: <20010921160628.5AD2337B41A@hub.freebsd.org> <3BAB66EB.2C80217B@home.com> <01c801c143cd$c9dc4fe0$89941bd8@speakeasy.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dc+cDN39EJAMEtIO" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01c801c143cd$c9dc4fe0$89941bd8@speakeasy.net>; from kib@mediaone.net on Sat, Sep 22, 2001 at 09:19:22PM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --dc+cDN39EJAMEtIO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 22, 2001 at 09:19:22PM -0400, jason wrote: > Then after the system boot up to the command prompt mount your drives wit= h: > mount -A ok first off its not -A :) its -a to mount all file system. before you mount all the file systems in single user mode its would be advised to=20 run fsck on the file systems to insure they are all clean before you mount them. better safe than sorry :) =20 > At that point you should be able to use the passwd command. Also you sho= uld > NEVER allow telnet access to the root or toor accounts (at least in my > opinion). If you need root access from remote then create a regular acco= unt > and add it to the wheel group. You can login and us the SU command to de= al > with root tasks. Telnet to any system and then using su for root is a bad idea. As a matter of fact sudo can be dangerous if you allow full access or critical applicat= ion access on an unencrypted connection.. It would be far more advised to setup sshd on a system for this purpose if you must insist upon logging in as root. However I would suggest setting up sudo and login as a regular user instead. =20 > Also be sure that you either delete toor or set a password for it. I > personally do not like the account so I delete it after install. toor is a locked account by default. I fail to see from what he was=20 talking about where deleting the toor account would have made any real difference since it would possibly appear that someone jacked the account and did set a password on it so they could attempt to move semi silently on the system as root without infact being "root". I use the toor account quite a bit since I am not a csh/tcsh fan. Its come in very handy since I'm comfortable in that enviroment. I've no need to tamper with either root or toor since some people prefer csh that admin on a system while other like bash. with toor and root both intact and setup per default on the system I have yet to see any real troubles related directly to toor that would not also directly affect the root login. So I don't really see your logic in changing the default since it was thought out well in the first place or it would not have been installed that way by the folks building the freebsd default install. Also my question would be to the originator of this email, what pop3 server was being used on the system since it would appear that it was possible the= re was an exploit used via pop3 to gain access to the system maybe.. My thoug= ht is that possibly this is related to qpopper since I heard not so long ago t= hat there was an exploit being used against qpopper for something similar to th= is very problem. just my 2 cents.. Cheers.. --=20 Rob Andrews Administrator Cyberpunk Alliance http://www.cyberpunkz.org/ Minneapolis, MN --dc+cDN39EJAMEtIO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7rUvgAXwJ9YLqJJURAmIpAJ9yYsuxlMmEo6wW9EClQ3EN5h9+BwCfWvzo qEd+RHy4CfZ3zH2GeCbOZ2Q= =ZK2q -----END PGP SIGNATURE----- --dc+cDN39EJAMEtIO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message