From owner-freebsd-questions  Sun Sep 23  7: 7:24 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from smtp3.mx.pitdc1.stargate.net (smtp3.mx.pitdc1.stargate.net [206.210.69.143])
	by hub.freebsd.org (Postfix) with SMTP id 5EEC737B426
	for <freebsd-questions@FreeBSD.ORG>; Sun, 23 Sep 2001 07:07:21 -0700 (PDT)
Received: (qmail 5349 invoked from network); 23 Sep 2001 14:05:40 -0000
Received: from unknown (HELO wastegate.net) (209.166.133.114)
  by smtp3.mx.pitdc1.stargate.net with SMTP; 23 Sep 2001 14:05:40 -0000
Received: (qmail 8713 invoked from network); 23 Sep 2001 14:05:40 -0000
Received: from unknown (HELO mother) (192.168.1.2)
  by 192.168.1.1 with SMTP; 23 Sep 2001 14:05:40 -0000
From: "Doug Reynolds" <mav@wastegate.net>
To: "Rob" <europax@home.com>, "ybbor@freedom.net" <ybbor@freedom.net>
Cc: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG>
Date: Sun, 23 Sep 2001 10:04:49 -0400
Reply-To: "Doug Reynolds" <mav@wastegate.net>
X-Mailer: PMMail 98 Professional (2.01.1600) For Windows 98 (4.10.2222)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: Freebsd being hacked
Message-Id: <20010923140721.5EEC737B426@hub.freebsd.org>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, 21 Sep 2001 09:12:28 -0700, Rob wrote:

>> Today i try to log in to my computer and i can't telnet in to it.  So
>> i went to the box, and i can't log in to it.  on the screen it says
>> there was an 'su pop to toor'.  and that the kernel log was full.  it
>> looks like i was hacked, so i unpluged the comptuer from the network
>> and now i don't know what to do.
>> 
>> how do i log in to a comptuer if someone changed the root password and
>> disabled every other account?

>I'd reinstall the OS from an ISO disk.  Others with more experience in
>this might have a better solution.

you could drop into single user mode and just use passwd (i believe) if
you want to get some working logs.  but I would definatly
fdisk/format/reinstall the whole OS.  sounds like you got hit by the
telnet hack.

---
doug reynolds | the maverick | mav@wastegate.net



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message