From owner-freebsd-security  Mon Jul 28 15:10:45 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id PAA06985
          for security-outgoing; Mon, 28 Jul 1997 15:10:45 -0700 (PDT)
Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA06977
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 15:10:40 -0700 (PDT)
Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id PAA04912; Mon, 28 Jul 1997 15:10:36 -0700 (PDT)
To: Vincent Poy <vince@mail.MCESTATE.COM>
cc: security@FreeBSD.ORG, "[Mario1-]" <mario1@PrimeNet.Com>,
        JbHunt <johnnyu@accessus.net>
Subject: Re: security hole in FreeBSD 
In-reply-to: Your message of "Mon, 28 Jul 1997 03:19:55 PDT."
             <Pine.BSF.3.95.970728031228.3844A-100000@mail.MCESTATE.COM> 
Date: Mon, 28 Jul 1997 15:10:35 -0700
Message-ID: <4908.870127835@time.cdrom.com>
From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

I think you are describing the symptom, not the problem.

This looks very much like a system which was broken into and then
trojan'd to allow easier, more invisible access.  How do you know,
for example, that your telnetd is really telnetd?  Did you verify that? ;)

Also, I'd check that inetd.conf file again and make _really sure_ you
haven't left remote shell access enabled - a lot of people miss that
because it's not explicitly labelled "rlogin" like they might expect.

					Jordan