From owner-freebsd-questions Wed Aug 29 22: 4:11 2001 Delivered-To: freebsd-questions@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 9769837B403 for ; Wed, 29 Aug 2001 22:04:07 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id DE15366D2A; Wed, 29 Aug 2001 22:04:06 -0700 (PDT) Date: Wed, 29 Aug 2001 22:04:06 -0700 From: Kris Kennaway To: Brian Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Ok, I have been hacked, toor exploited apparently Message-ID: <20010829220406.A80634@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bbayorgeon@new.rr.com on Wed, Aug 29, 2001 at 10:48:44PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Aug 29, 2001 at 10:48:44PM -0500, Brian wrote: > 7-info.log:Aug 7 08:15:46 ceil telnetd[24924]: ttloop: peer > died: No such file or directory > daemon.log:Aug 7 08:15:46 ceil telnetd[24924]: ttloop: peer > died: No such file or directory > 8-debug.log:Aug 7 08:47:55 ceil passwd: user toor changed their > local password > user.log:Aug 7 08:47:55 ceil passwd: user toor changed their > local password They got in via telnetd, changed the password of toor (an alternate root account usually used for convenience so you can use a different login shell for it) so they could get back in, and then did various other stuff you probably have no chance to completely track down. At this point you need to: * Wipe the system and reinstall it -- otherwise, you'll probably miss backdoors they've left behind. * Don't enable telnetd until you can patch it. Don't go back on the net with a vulnerable telnetd or it will just happen again. * Read the security advisories at http://www.freebsd.org/security and *subscribe to a mailing list to receive notification of future vulnerabilities!* * Patch existing security holes in your release, or take appropriate workarounds as detailed in the advisories. Kris --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7jclGWry0BWjoQKURArEXAKDi82aHCcLkwtBVRsbCkXjl1WEuYQCgvMVm ZMyk59s9Xt/mMPLwAHWb5B8= =5lli -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message