From owner-freebsd-questions  Thu Nov 13 10:31:58 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id KAA05486
          for questions-outgoing; Thu, 13 Nov 1997 10:31:58 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from erinet.com (mail-in.erinet.com [207.0.229.27])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA05480
          for <questions@FreeBSD.ORG>; Thu, 13 Nov 1997 10:31:55 -0800 (PST)
          (envelope-from richard@eri.erinet.com)
Received: from eri.erinet.com (shell.erinet.com [207.0.229.11]) by erinet.com (8.8.8/8.8.5.27) with ESMTP id NAA28376; Thu, 13 Nov 1997 13:36:17 -0500 (EST)
Received: from localhost (richard@localhost) by eri.erinet.com (8.8.5/8.8.0) with SMTP id NAA02711; Thu, 13 Nov 1997 13:30:06 -0500 (EST)
Date: Thu, 13 Nov 1997 13:30:05 -0500 (EST)
From: richard <richard@erinet.com>
To: "Randy A. Katz" <randyk@ccsales.com>
cc: questions@FreeBSD.ORG
Subject: Re: ARE THEY ABLE TO CRACK UNIX PASSWORDS???
In-Reply-To: <3.0.5.32.19971113085135.00a3ce20@ccsales.com>
Message-ID: <Pine.SOL.3.95.971113131038.2693A-100000@eri.erinet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk



It wouldn't suprise me that password, 5693k, was cracked, or even guessed.
It is very weak.  A good example of a password is one that is not any kind
of proper name or any word that appears in the dictionary.  If you insist
on some kind of name then try unsusual capitalization and spaces in the
password.  Something like   blaH 34iT  .  How is the hacker getting in?
Through telnet?  If so disable all remote logins until you reasses the
security of you box and do damage control.  If the hacker knows a bit
about UNIX in general he/she could have placed a 'trojan horse' program on
your box.  A trojan horse is a program that acts like a program that it
replaced, such as the 'ls' program, but the hacker has added a feature
that will spawn a root shell.  That means he doesn't even have to know the
root password anymore.  Other on the list will have to give you advice on
how to check for suspicous proggies on your system doing things that they
shouldn't.  But the first thing to do is don't let the hacker back in.
Shut down any service that the hacker used.  System security is worth the
inconvenience of temporary loss of functionality until you can get your
unit in a state that the hacker wiil be less likely successful.  An
excellent book is 'Practical UNIX and Internet Security" by Oreily and
Assoc.  The book focuses on security concepts and is not system specific,
meaning it talks about most commons flavors of UNIX.

	- Richard.


On Thu, 13 Nov 1997, Randy A. Katz wrote:

> OK.
> 
> We're using master.passwd, it seems they can just pull down this file and
> crack it. They got my root passwd and logged in and created other users
> which have root access. The password they got is something like 5693k. Did
> they actually get it from sniffing?
> 
> I just can't believe they guessed that password!???!
> 
> This guys' driving me nuts! Help!
> 
> Thanx,
> Randy Katz
>