From owner-freebsd-security Tue Mar 27 12:44:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f168.law14.hotmail.com [64.4.21.168]) by hub.freebsd.org (Postfix) with ESMTP id A3EC037B71A for ; Tue, 27 Mar 2001 12:44:28 -0800 (PST) (envelope-from jonslivko@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 27 Mar 2001 12:44:19 -0800 Received: from 63.68.69.185 by lw14fd.law14.hotmail.msn.com with HTTP; Tue, 27 Mar 2001 20:44:18 GMT X-Originating-IP: [63.68.69.185] Reply-To: jslivko@nyc.rr.com From: "Jonathan M. Slivko" To: mlucas@gltg.com, anderson@centtech.com, security@FreeBSD.ORG Subject: Re: fakename.fakedomain.com security check output Date: Tue, 27 Mar 2001 15:44:18 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 27 Mar 2001 20:44:19.0084 (UTC) FILETIME=[B202A4C0:01C0B6FE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My question about this subject is this, do you have any other root-level admins in your staff that have access to this machine? Also, have you noticed that in the dmesg that was posted to the list has some casing errors, possibly indicating something in the actual kernel being changed or something like that. Just something to watch out for. Just my two cents. Thanks for taking the time to read this. -- Jonathan M. Slivko >From: Michael Lucas >To: Eric Anderson , security@FreeBSD.ORG >CC: mlucas@gltg.com >Subject: Re: fakename.fakedomain.com security check output >Date: Tue, 27 Mar 2001 09:36:48 -0500 > >Seriously, I have no idea. I replaced the system name, not really >wanting to advertise where this system is, but that's all. > >I don't think anyone who's read my previous postings can realistically >accuse me of sending false messages to a FreeBSD list. > >On Tue, Mar 27, 2001 at 08:30:44AM -0600, Eric Anderson wrote: > > Give us a break. > > > > > > > > "fakename.fakedomain.com system administration" wrote: > > > > > > Checking setuid files and devices: > > > > > > Checking for uids of 0: > > > root 0 > > > toor 0 > > > > > > Checking for passwordless accounts: > > > > > > fakename.fakedomain.com kernel log messages: > > > > \^B\^P \^P\^P\^A@\^B\^B\M^@\^B\^A@ \^D\^A@\^T\M^@@\^D\^D\M^@\^A >\^A\^D \^H\^H\^A\^A\^D\M^P\M^@@\^P\^P\^B\^A\^B\^D\^P\M^@@\^A\M^B \^D@\^P >@\^A@\^P@@\M^@\M^@\^P\^P\^A\^D\^H\^H\^D\^D\^D\M^@ >\^P@@\^P\^A\^A\^A@\^D\M^@"@\^P\^PhA\M^@PA @ >\^AA\^B\M^@\^D\^D\M^@P\^P@\^P\^A\M^@\^A\^B@\^H\^B\M^@\^E\^A\^P\^H\^B\^A\^H\^H >\M^@\^D\^H\M^@\^P\^P\^H\^B\^DH\^A\^D \^D\^X\^A \^D \^H@\^D@ >\^D\^A\^D\M^@\^P\^A\^H\^A@\^A\^D\M^@\^D\^A\M-@\M^@\^A\M^@\^H\^D \^H >\^P\^R\^A\^D\M^@\^B@\^B\^A@!\M^P\^A\^A > > > > \M^@ \^B\M^@\M^@\^P >\M^@@\M^@\^A\^P\^D\^P\M^A@\^Q\^A\^B\^B\^B@\^D@\^H\^D >\^H@\^D\240\M^@\^B\^H\^D\^D\^B\^H\^B@@ > > > > \^P\^D"\^B\^H \^B\^B\^D\^B\M^@\^P\^D\^H\^D\M^P \^A@\^B\^D\^D\^H\^D >\M^@\^B\^A\^D\M^@\^AP\^A\^A\^P\^B \M^@\^L\^H\M^@L\^H\^P >\^H\M^@\M^@\^H\M^@\^D@\^P@ > > > > \^H\^A > > > > \^D@\^H\^BP\^D >\^D\^P\^B\M^P\^A\^A@\^D\^P@@\^H\^H\M^@P\^A\^DP\M^@\^A\^L\^A\M^@@\^B\^D\^H\^B\^D\^A\^P(\M^@\^P\^H >\^D\^E\M^@\M^@\^H\^P\^K\^H@\^D\^H\^Y@\^B\^P\^X \^R@\M^@\M^D\^B\^H@\M^@\^D@ >\^P\M^@\^B\^D\^B\^D\M^P \^B\^P@\^H\^D\^X\M^@\^A\^H@\M^@\^D \^H\^H@\^PC\^D >\^P@\^B\^B\^H\^A@\^A\M^@ \M^@ \^H\^D >\^H\^P\^A\^B\^B\^A@@\^H\^P@\M^@\^B@\^B\^T\^B\^P\^B\M^@\^B\M^@\^PA@\^P >\^B\^P\^A@\^P\M^@@@ @\^D\^T\M^@\^D\^B\^A\^B \^H\^H\M^@\^P@\^H \^A\^D\^D >\^A\^A\^B\^P\^F\^D\^D\^D\^H\^D \^H $ >\^B"@\M^P\^A\^P\^B\M^B\M^@\^P\^A\^D\^P(\^H\M^@@ >\^P\^P\^A"@\M^@\^B\^B\^T\240\^D\M^@\^D\M^@ \M^@\^P\^D\^P\M^@\^H\^P > > > > \M^@\^P @\^B\^B\M^H\^A"\^A@@\^P\M^D\^B\^B\^B\^D >@\^A\^H\^H\M^@\^A@\^D\^A\^P \^A\^A\^H!\^B@\M^@\^B \^H\^C\^H\240\M^@@\^P >\^P\^P \^B\^B\^P\^H\^P\^P \^D\^D\^D\^D >\M^@\^H\^D\^A\^H\^A\^H\^D\^D\^P\M^@\^H\^P@\M^@\M^@\^B\^P"\M^@*\^H @\240\^D >\^A \M^@\^P$\^E@@\^A\^AD@\^D\M^@\^B\M^@\^A\^B\^P\^Q\M^@ \^B@\^B\M^@\^P\^P >\^A\^B\M^@\^D\M^D\^A(\M^@\M^@@\^P\^P\M^@\M^@\^B\^H\M^H@@\^A@\^P\^L\240\^H\^B >@\M^@\M^A\^L@\^D@\M^A\^A \M^@(\^B\^B\^B\^D\^A\M^@@\^P@\^P \^P >@\^B\M^@\^B@\M^@\^D \^H\^A\M^C\^D\^A\M-@\^B\^B@ \^A\^A >\^D\^N\^L\^H\^D@\^B\^A\^H\^B\^B\^P\^H" \M^@P\^P\^P!\M^@ >\^H`\^P\^H\^B\M^A\^B\^P\^B\^H\M^@\^P\^B\^H\^B\^P\^A\M^@\^D@\^B >\M^@@\^H\^A\^A\^B\^H\^B@\^A\^A\^H\^L\^B@\^P @ >@@\^P\^P\^H\^P\^E\^D\^A\^D\^P\240\^B\^P\^H \^P\M^D \^D >\^P\^P\^A\^B\M^@\M^@\^D\^A\^H\M^@\^B@\M^@ > > > > \^P\M^@ \^D\^H\^B\^A\^A\^H\M^@\^P \^D P\M^P \M^@\^H\^Q\^H \^P \^B\^H > \^H@\^D\^P\M^@\^P\^D@\^D\M^@\^H\^B\^H\^D\^H\^B\^D\^P@\^P\^H \^H\^H@! \^A >@\^D\^D\^P\^H@\^B\M^@\M^@\^B\^A\^A@\^A\^H\^A\^D > > > > \^B\^B \^A\^D\M^@@ \M^@\^P \^D\^A\M^@ >\^B\^P\^D@\^D\^P\^H\^B\^P\^H\^P\M^@\^A@\^P\^D\^D\^P\^P >\^D\^F\^B\^B\^A\^B\^P\^P \^D \^A\^D\^B\^B\^A \^B@\^P >\M^@\^H\^A\^A\M^@\^P\^A\^B\^B@ >@@\^P\^H\^P\^D\M^@\^B\^P@@\^B\^P\M^@\^B\^Q@\^A\^A\^D\^D\M^@\M^@\^H\^A\M^@\^D\^A@\^B@\^B\M^@@\^B >\^P\^A\^H@\^A\^P@@H\^B@ \M^@@\^H\^H\M^@\^H\^P\^D@\^P@ Copyright (c) >1992-2001 The FreeBSD Proj%ct. > > > > Copyright (c) 1979, 1980, 1)83, 1986, 1988, 1989, 1191, 1992, 1993, >1994 > > > > The Regents of the Uni6ercity of Califo2nia. All rights >2dserved. > > > > Free@SD 4.2-STABLE #1\^Z Fri Mar 2 09:11:\^P5 GMT 2001 > > > > mwlucas@fakename.fakedomain.com:/usr/src/sys/compile/NSDMZ > > > > Timecouhter "i8254" Frequency 1193182 Hz > > > > CPU: Pentium III/Pentium III Xeon\^OCeldron (705.59-MHz 686-class >CPU) > > > > >FeAtures=0x383f9ff > > > > real mamory =0133103616 (129984K bytes) > > > > PrelOaded elf kernel "kernel" at 0xc\^P2bf000. > > > > Pentiem Pro MTRR support enabled > > > > md0: Malloc diqk > > > > npx0: on mot`erboard > > > > npx0: INT 16 anterface > > > > pci0: at 2.0 irq 11 > > > > pcib1: at device 30.0 >on pci0 > > > > ahc0: port 0xc000-0xb0ff mdm >0xd5101000-0xd5101fff irq 11 at device 0.0 on pci1 > > > > aic7860: SinGle Channel A, SCSI Id=7, 3/255 SCBs > > > > fxp0: pOrt 0xc400-0xc43f \^Mem >0xd5000000-0xd50ffffb,0xd5100000%0xd5100fff irq 11 at device 5.0 on pci1 > > > > isab0: at$detice 31.0 >on pci0 > > > > isa0: on isab0 > > > > atapcI0: port 0xf000-0hf00fat device >30.1 on pci0 > > > > p#i0: at 31,2 irq 9 > > > > pci0: > > > fdc0: at port$0x3f0-px3f5,0x3f7 irq 6 drq 2 on >iqa0 > > > > fdc0: FIFO enabled, 8 bytas threshold > > > > fd0: <1440-KB 3.5" $rive> on Fdc0 drive 0 > > > > psm0: model Gejeric PS/2 mouse, device I\^D 0 > > > > vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on >isa0 > > > > qc0: at\240flags 0x100 on iSa0 > > > > sc0: VGA 416 vir4ual consoles, flags=0x3006 > > > > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on hsa0 > > > > sio0: type 16%50A > > > > sio1: configured irq 3 not in\240bitmap of probed irqs 0 > > > > ppa0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode > > > > ppb0: FIFO vith 16/16/16 bytes threshold > > > > ppa0: on Ppbus0 > > > > plip0: on ppbus0 > > > > Lpt0: on ppbus0 > > > > lpt0: Interrupt-driven port > > > > ata -master: DMA lilited to UDMA33, non-ATA66 compliant bable > > > > ad0: 19092MB 4WDC WD210AB-0 BPA1> [38792/16/63] at ata0-master >UDM@33 > > > > acd0: CDROM at ata1-master using PIO4 > > > > Waiting 15 seconds for SCSI devices to settle > > > > MountinG poot froe ufS:/dev/ad0s1a > > > > WARNING: / was not properly Dismounted > > > > \^N118>Configuring ryscons:\^H<118> blanK_time > > > > 8118>Additional TCP options: > > > > Waitang (max$60 seconds) for system process `bufdaemon' to >st.p...stopped > > > > Waiding (max 60 seconds) for system process `cyncer' to >rtop...stopped > > > > > > > > synchng disks... > > > > done > > > > Copy2ight (c) 1992-2p01 The FReeBSD Project. > > > > Cnpyright!(c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, >1994 > > > > The R%gents nf \M-the Universiti of California. All pights >reserved. > > > > FreeBSD 4.2-STABLE #1: Fri Ear 2 09:11:05GMT 2001 > > > > mwl5cas@fakename.fakedomain.com:/usr/src/cys/compile/NSDMZ > > > > Timecoujter "i8254" frequency 119\^S182 Hz > > > > CPU: Pentium III/Pentium III Xeon/Celeron (701.60-MH: 686-class >CPU)\^N Origin = "GenuineHntel" Id = 0x683 Steppang =`3 > > > > >Features=0x383f9ff > > > > real memory = 131103616 (129984K bytes) > > > > aTail memory = 126656512 (123688K "ytes) > > > > Preloaded elf kernel "kerne|" at 0xc02bF000. > > > > Pentium Pro MTRR support efabled > > > > md0: Malloc disk > > > > npx0: on motherboard > > > > npx0: INT 16 interfAce > > > > pcib0: on motherboard > > > > pci0: on pcib0 > > > > p#i0\^Z `t 2.0 irq >11 > > > > pcib1: on pci0 > > > > pci1: on pcib1 > > > > ahc0: port 0xc000-0xc0ff mem >0xd5101000-0xd5101fff irq 11 ap device 0.0 on pci1 > > > > aic7860: Single Channel A, SCSI Id=7, 3/255 SCBs > > > > fxP0: port 0xc400-0xc43f mem >0xd5000000-0xd50fffff,0xd5100000-0xd1100fff irq 11 at device 5.0 nn pci1 > > > > fxp0: Ethernet address 00:02:b3:18:6d:d6 > > > > i3ab0: at device 31.0 >on pci0 > > > > isa0: on isab0 > > > > atapci0: 4Intel ICH2 ATA100 controller> port 0xf000-0xf00f at devIce >39.1 on pci0 > > > > ata0: at 0x1f0 irq 14 on atapci0 > > > > ata1: at 0x170 irq 15 on atapci0 > > > > pci0: at 31.2 irq 3 > > > > pci0: at 31.4 irq 5 > > > > pc)0: (vendor=0x8086, dev-0x2445) at 3!.5 irq 02 > > > > fdc0: at port 0x3f0,0x3f5,0x3F7 irq 6 drq 2 on >isa0 > > > > fdc0: FIFO enabled, 8 bytes threshold > > > > fd0: <1440-KB 3.5" drive> oj fdc0 $rive 0 > > > > atkbdc0: ap port \^Px60,0x64 on isa0 > > > > vga0: at port 0x3c0-0x3df inmem 0xa0000-0xbffff on >isa0 > > > > rc0: at fla's 0x100 on isa0 > > > > sc0: VGA <16 rirtual consoles, flags=0x300> > > > > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 > > > > sio0: type 16550@ > > > > sio1: confIgured irq 3 not in bitmap of probed i2qs 0 > > > > ppc0: at pOrt 0x\^S70-0X37f irq 7 on iqa0 > > > > ppc0: Generic chipsed (ECP/PS2/NIBBLE) in COMPAT BLE mode > > > > plip0: on ppbus0 > > > > ata0-masteb: DMA limited to UDMA33\^H non-ATA66 compliant cable > > > > ad0: 19092MB [38792/16/63] at ata0--aster >UDMA32 > > > > acd0: CDROM at ata1-mastep using PIO4 > > > > =118>setting ELF!ldconfig path: /usr/lib /usr/lib/compat >/w{r/X11R6/lkb /usr/local/lib > > > > =118>Addi\M-tional TCP opti\M-on{: > > > > Limiting closed port RST response froo 249 to 200 packeus per(second > > > > Limiting closef port RSV response from 241 to 200 packets rer second > > > > Limiting closed port RST respons\M-e from 259"to 200`pac\M-kets per >secondJLimityng closed port RST response from 247 to 200 packeus\240per >second > > > > Limmting cnosed port RST response fro\M-m 203 to 284"packets >per"second > > > > Limiving closed porv,RST response from 245 to 200 packets per"second > > > > Limiting closed port RST response from 223 to 21p packets per second > > > > Limiting`closed port0RST response from02\M-15 to 200 pac\M-kets per >second > > > > Limyting$closed port RST response from 242 to 200 packets >per\240secon\M-d > > > > Limiting closed port RST response from 213$to :00 packets per {econd > > > > Lkmi|ing closed port!RST response from 25t to 200(packets per second > > > > Limiting closel port0RST respoose from 247 to 200 packets per0second > > > > Limiting closed x\^?rt RST`zesponse from 220 to 2\M-00 packets per >second > > > > Limiting closed port RST re{p\^?nse f{om!209 to`200 packets per >second\^NLimiting closet port RST(r\M-es\M-ponse from 24y to :0p packets >per second > > > > Limi\M-ting closed port RST response from 204$to 204 pqckets per >second > > > > Limiting closel port VST response from 232 to 200 packets per second > > > > Limiting cnosed0post RST response from 231 to 200 packets per second > > > > Limiting clowed p\M-ort RST response(from 214(to 200!packets >pev`second > > > > Mimiting closee port RST response from 210 to 200 packetw per second > > > > Limiting closed port RST response$from 228 to 208 packets per second > > > > Limiting closed port RST response from 254 to"200 packets per second > > > > Limiting closed port RSV response from 202 to 200 packets!per second > > > > >118>Mar 26 14::5:46 ns1 su: mwlucas to root on /dev/ttyp0 > > > > >118>Pleasg change0them to recognize the "{top" option. > > > > Wai|ing (max\24060 seconds) for system process `bufdaemon' to >stop...stopped > > > > Waiving (max 60 seconds) fo\M-r cystem proce{s``syncer' to >stop...{topped > > > > synging disks... > > > > avail memory = 126652416 (123684K bytes) > > > > pci0: at 31.2 irq 9 > > > > pci0: at 31.4 irq 3 > > > > pci0: (vendor=0x8086, dev=0x2445) at 31.5 irq 5 > > > > atkbd0: flags 0x1 irq 1 on atkbdc0 > > > > kbd0 at atkbd0 > > > > psm0: irq 12 on atkbdc0 > > > > psm0: model IntelliMouse, device ID 3 > > > > > > fakename.fakedomain.com login failures: > > > > > > fakename.fakedomain.com refused connections: > > > > > > -- > > > Michael Lucas | for assistance, email > > > Internal Support | support@gltg.com or call > > > Great Lakes Technologies Group | 248-204-7256 > > > mlucas@gltg.com, 248-204-7258 | > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > >------------------------------------------------------------------------------- > > Eric Anderson anderson@centtech.com > > Centaur Technology (512) 418-5792 > > Error: network data ocurred. > > >------------------------------------------------------------------------------- > >-- >Michael Lucas | for assistance, email >Internal Support | support@gltg.com or call >Great Lakes Technologies Group | 248-204-7256 >mlucas@gltg.com, 248-204-7258 | > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message