From owner-freebsd-security Mon Jul 28 15:07:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA06756 for security-outgoing; Mon, 28 Jul 1997 15:07:33 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA06749 for ; Mon, 28 Jul 1997 15:07:28 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id PAA06325; Mon, 28 Jul 1997 15:07:10 -0700 (PDT) Date: Mon, 28 Jul 1997 15:07:10 -0700 (PDT) From: Vincent Poy To: Robert Watson cc: Tomasz Dudziak , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Robert Watson wrote: =)On Mon, 28 Jul 1997, Vincent Poy wrote: =) =)> On Mon, 28 Jul 1997, Robert Watson wrote: =)> =)> Yep, sniffing would work but can they actually sniff outside of =)> the network? =) =)Well, once you have one host, you have all the hosts on the same ethernet =)segment. Typically, though, problems with sniffing occur on college dorm =)networks, which run large numbers of less-well-managed Linux/etc hosts. =)This may be an increasing problem on Cable-modem networks, which I =)understand work something like Ethernet, in that they are broadcast =)networks for a local segment. Also, who is to say that occasionally =)routers or ISP machines don't get broken into, and sniffing occurs? Any =)of your users could be logging in from an untrusted network, so in essense =)you are relying on that network to be secure as well as your own. That would be true but it seems the attacker can only get into the FreeBSD-current machines and not the other ones running 2.1.7.1R or 2.2.2R. Ofcourse the -current machines are the ones that really run the ISP. The T1 line directly terminates in the house so no one local would packet sniff it and would befoolish to do so since they can just boot in single user mode. Ofcourse routers can be broken into or even our backbone provider CRL's. We're running a FreeBSD 2.1.7R based router with a ET card and the hacker never made it into the machine. =)> =)Your best hope at this point is to shut down the system, boot on a floppy =)> =)with a CDROM mounted, and then do a strategic MD5 checksum of all binaries =)> =)and check for changes. If you're running STABLE, your best bet may be to =)> =)sup down differences, but to reinstall the binaries necessary to support =)> =)the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. =)> =)If he's made enough changes to zap syslog, netstat, login-stuff, I =)> =)wouldn't trust any other tools on the system currently. =)> =)> Not even a rebuild of -current after cvs? =) =)Well, the problem is, I could easily replace cvs with a script that does =)cvs, then installs my security hole again. :) True but if it sups from hub.FreeBSD.ORG, how would you forge it? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]