Date: Wed, 4 Apr 2001 10:29:28 -0700 From: Jon Rust <jpr@vcnet.com> To: freebsd-questions@freebsd.org Subject: 4.2S compromised: what now? Message-ID: <20010404102928.A23357@mail.vcnet.com>
next in thread | raw e-mail | index | archive | help
I discovered a user's account on one of my servers was compromised (actually, they used write(1) to send some cryptic message to my account which, ehem, got my attention real quickly). Turns out the script kiddie(s) had been using it since Dec 2 at least (I only have wtmp files going back that far). It doesn't *look* like they got into anything else. They tried several exploit proggies including joe28, mailbrute, elvwreck, exklock, and hackpop, a few specifically noting exploits available in 4.2-Release (with certain ports installed). I've been combing through the system trying to find any shred of evidence to suggest they got farther, but haven't yet. Pointers appreciated. The thing that concerns me is, how did they get into this account? It's one of the staff members accounts (fortunately, with no special privs). I know what the password was, and it was not something that I'd think could be dictionaried (2 names with mixed case joined with an underscore) . The user in question never logged into it from anywhere but their own system here in the office, and not in a LONG time (6 months anyway). Ideas? I don't see any other users' accounts that have been accessed in the same way (again, wtmp only goes back to Dec 2). All the logins came from apparently exploited machines overseas. Joy. Thanks, jon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010404102928.A23357>