From owner-freebsd-questions  Thu Dec  3 07:57:42 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA20043
          for freebsd-questions-outgoing; Thu, 3 Dec 1998 07:57:42 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from server1.cctinc.net (NS1.cyber-com.net [209.118.223.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA20038
          for <freebsd-questions@FreeBSD.ORG>; Thu, 3 Dec 1998 07:57:40 -0800 (PST)
          (envelope-from mike@cctinc.net)
Received: from cctinc.net ([209.118.223.107])
	by server1.cctinc.net (8.8.7/8.8.7) with ESMTP id KAA08727
	for <freebsd-questions@FreeBSD.ORG>; Thu, 3 Dec 1998 10:59:29 -0500 (EST)
	(envelope-from mike@cctinc.net)
Message-ID: <3666B40D.18E11DEC@cctinc.net>
Date: Thu, 03 Dec 1998 10:53:49 -0500
From: Mike Alich <mike@cctinc.net>
Organization: Cyber Communication Technologies, Inc. - www.cctinc.net
X-Mailer: Mozilla 4.05 [en] (Win95; I)
MIME-Version: 1.0
To: freebsd-questions@FreeBSD.ORG
Subject: Important
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I need some help.  My server got hacked into last week and I found out
that they moved in a new version of login and a few other remote access
type of programs.  I also noticed they had a file called login.cgi in a
particular web directory.  Could they have modified login.c and placed
it for apache to execute and change my root password or login as root
from a web browser?  Or better yet cp the login.c modify it and execute
it in a standard users directory under that user name and log in as root
without the root password?

I know one of the people that hacked the system.  This user had ftp but
not telnet acces into the server.  But he may have had someone else
password for telnet.  This is an ex sysadm.  But he never had the root
password or my own personal password.  And I know this for a fact.

Also can you tell me which login program is execute when you goto login
into the system.  I mean which directory is this program located in?

Any help is appreciated.

--
Mike Alich
mike@cctinc.net
Cyber Communication Technologies, Inc.
Web Hosting and Internet Solutions.
http://www.cctinc.net
Virtual Web Hosting $14.95 per month



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message