From owner-freebsd-questions  Thu Nov 13 09:56:36 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id JAA02030
          for questions-outgoing; Thu, 13 Nov 1997 09:56:36 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from horton.iaces.com (horton.iaces.com [204.147.87.98])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA02007
          for <questions@FreeBSD.ORG>; Thu, 13 Nov 1997 09:56:22 -0800 (PST)
          (envelope-from proot@horton.iaces.com)
Received: (from proot@localhost)
	by horton.iaces.com (8.8.7/8.8.7) id LAA01581;
	Thu, 13 Nov 1997 11:55:17 -0600 (CST)
From: "Paul T. Root" <proot@horton.iaces.com>
Message-Id: <199711131755.LAA01581@horton.iaces.com>
Subject: Re: ARE THEY ABLE TO CRACK UNIX PASSWORDS???
To: randyk@ccsales.com (Randy A. Katz)
Date: Thu, 13 Nov 1997 11:55:17 -0600 (CST)
Cc: shovey@buffnet.net, questions@FreeBSD.ORG
In-Reply-To: <3.0.5.32.19971113085135.00a3ce20@ccsales.com> from "Randy A. Katz" at "Nov 13, 97 08:51:35 am"
X-Organization: !nterprise Networking Services - ACES
X-Phone: (612) 664-3385
X-Fax: (612) 664-4779
X-Page: (800) SKY-PAGE PIN: 537-7270
X-Address: 600 Stinson Blvd, Fl 1S
X-Address: Minneapolis, MN 55413
X-Mailer: ELM [version 2.4ME+ PL22 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

In a previous message, Randy A. Katz said:
> OK.
> 
> We're using master.passwd, it seems they can just pull down this file and
> crack it. They got my root passwd and logged in and created other users
> which have root access. The password they got is something like 5693k. Did
> they actually get it from sniffing?

The could have. tcpdump will watch every keystroke. 



> I just can't believe they guessed that password!???!
> 
> This guys' driving me nuts! Help!
> 
> Thanx,
> Randy Katz

Take the machine off the network. 
Remove all the extraneous users.
Change ALL passwords on the machine. 
Install ssh and use it as much as possible. 
Search for setuid files owned by root and remove/turn them off. (or make
sure they are secure). 
Install tcpd and use it.
Firewall. 



-- 
What if there's not a tomorrow?  There wasn't yesterday.
                              --Bill Murray - GroundHog's Day