From owner-freebsd-hackers  Sun Jun 23 23:25:57 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA27329
          for hackers-outgoing; Sun, 23 Jun 1996 23:25:57 -0700 (PDT)
Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA27291;
          Sun, 23 Jun 1996 23:25:45 -0700 (PDT)
Received: by gvr.win.tue.nl (8.6.12/1.53)
    id IAA11793; Mon, 24 Jun 1996 08:25:33 +0200
From: guido@gvr.win.tue.nl (Guido van Rooij)
Message-Id: <199606240625.IAA11793@gvr.win.tue.nl>
Subject: Re: I need help on this one - please help me track this guy down!
To: jkh@time.cdrom.com (Jordan K. Hubbard)
Date: Mon, 24 Jun 1996 08:25:32 +0200 (MET DST)
Cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org
In-Reply-To: <7979.835575935@time.cdrom.com> from "Jordan K. Hubbard" at "Jun 23, 96 05:25:35 pm"
X-Mailer: ELM [version 2.4ME+ PL17 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> A traceroute from wcarchive doesn't show me much, but if anybody can
> gleen some userful information out of it I'd appreciate it.
> 
> Thanks!
> 
>  5  Helsinki2.FI.EU.net (134.222.228.45)  555.687 ms  518.720 ms  507.602 ms
>  6  StPetersburg.RU.EU.net (134.222.23.2)  549.172 ms  592.407 ms  630.928 ms
>  7  spb-2-gw.spb.su (193.124.83.66)  547.190 ms  573.518 ms  569.656 ms
>  8  hqlgu-LE.pu.ru (193.124.255.134)  519.318 ms  657.805 ms  651.496 ms
>  9  slip-0.pu.ru (193.124.85.1)  840.489 ms  671.729 ms  650.750 ms
> 10  nat.pu.ru (193.124.85.134)  638.649 ms  653.720 ms  720.170 ms
> 11  gw.pu.ru (193.124.85.219)  752.144 ms  645.046 ms  641.413 ms
> 12  localhost (127.0.0.1)  670.113 ms  702.233 ms  695.733 ms
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Do you have anti-spoof filter rules in your backbone router? If not
install them. If so, please add packets coming in from localhost
to them. I don't know why he got in, but you can suspect rlogin plus
a localhost entry in host.equiv combined with source routed packets.
In general it is a bad idea to trust localhost, as this is a reletaive
ip address. Unless of course you either block packets coming from localhost
or block source routed packets.

-Guido