Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Aug 2001 22:04:06 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        Brian <bbayorgeon@new.rr.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Ok, I have been hacked, toor exploited apparently
Message-ID:  <20010829220406.A80634@xor.obsecurity.org>
In-Reply-To: <ILECJPOKCPCCHDEMKLBNMENICEAA.bbayorgeon@new.rr.com>; from bbayorgeon@new.rr.com on Wed, Aug 29, 2001 at 10:48:44PM -0500
References:  <ILECJPOKCPCCHDEMKLBNMENICEAA.bbayorgeon@new.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--1yeeQ81UyVL57Vl7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Aug 29, 2001 at 10:48:44PM -0500, Brian wrote:

>  7-info.log:Aug  7 08:15:46 ceil telnetd[24924]: ttloop:  peer
> died: No such file or directory
>  daemon.log:Aug  7 08:15:46 ceil telnetd[24924]: ttloop:  peer
> died: No such file or directory
> 8-debug.log:Aug  7 08:47:55 ceil passwd: user toor changed their
> local password
>    user.log:Aug  7 08:47:55 ceil passwd: user toor changed their
> local password

They got in via telnetd, changed the password of toor (an alternate
root account usually used for convenience so you can use a different
login shell for it) so they could get back in, and then did various
other stuff you probably have no chance to completely track down.

At this point you need to:

* Wipe the system and reinstall it -- otherwise, you'll probably miss
  backdoors they've left behind.

* Don't enable telnetd until you can patch it.  Don't go back on the
  net with a vulnerable telnetd or it will just happen again.

* Read the security advisories at http://www.freebsd.org/security and
  *subscribe to a mailing list to receive notification of future
  vulnerabilities!*

* Patch existing security holes in your release, or take appropriate
  workarounds as detailed in the advisories.

Kris

--1yeeQ81UyVL57Vl7
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7jclGWry0BWjoQKURArEXAKDi82aHCcLkwtBVRsbCkXjl1WEuYQCgvMVm
ZMyk59s9Xt/mMPLwAHWb5B8=
=5lli
-----END PGP SIGNATURE-----

--1yeeQ81UyVL57Vl7--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010829220406.A80634>