From owner-freebsd-questions Wed Apr 4 10:50:26 2001 Delivered-To: freebsd-questions@freebsd.org Received: from emaginet.com (london.emaginet.com [63.65.80.130]) by hub.freebsd.org (Postfix) with ESMTP id 3AD5737B719 for ; Wed, 4 Apr 2001 10:50:24 -0700 (PDT) (envelope-from ggeisbert@e-centives.com) Received: from latest.bethesda.emaginet.com (latest.bethesda.emaginet.com [172.16.0.69]) by emaginet.com (8.9.3/8.9.0) with ESMTP id NAA31119; Wed, 4 Apr 2001 13:44:52 -0400 Received: from ecexchange.bethesda.emaginet.com (ecexchange.bethesda.emaginet.com [172.16.60.65]) by latest.bethesda.emaginet.com (8.9.0/8.9.0) with ESMTP id NAA10468; Wed, 4 Apr 2001 13:57:36 -0400 Received: by ecexchange.bethesda.emaginet.com with Internet Mail Service (5.5.2653.19) id ; Wed, 4 Apr 2001 13:51:26 -0400 Received: from fbsd.bethesda.emaginet.com ([172.16.4.93]) by ecexchange.bethesda.emaginet.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H1G18H7A; Wed, 4 Apr 2001 13:51:23 -0400 From: Gary Geisbert To: Jon Rust , freebsd-questions@freebsd.org Subject: Re: 4.2S compromised: what now? Date: Wed, 4 Apr 2001 09:50:47 -0400 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="us-ascii" References: <20010404102928.A23357@mail.vcnet.com> In-Reply-To: <20010404102928.A23357@mail.vcnet.com> MIME-Version: 1.0 Message-Id: <01040409504704.40117@fbsd.bethesda.emaginet.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wednesday 04 April 2001 13:29, Jon Rust wrote: > > The thing that concerns me is, how did they get into this account? I would start looking elsewhere on your network for answers. Your network is only secure as your weakest link.. :-\ Perhaps the user uses the same password for all accounts, and someone rooted another machine on your network, and setup a sniffer...? The best way to do it, is the same way you do a risk analysis, and work backwards. Think of all the steps that would have to happen for someone to compromise the users' password, and I'm sure you'll get pointed in the right direction. Good luck // Gary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message