From owner-freebsd-security Mon Jul 23 18:27:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from backup.af.speednet.com.au (af.speednet.com.au [202.135.188.244]) by hub.freebsd.org (Postfix) with ESMTP id 0F6F737B401 for ; Mon, 23 Jul 2001 18:27:50 -0700 (PDT) (envelope-from andyf@speednet.com.au) Received: from backup.af.speednet.com.au (backup.af.speednet.com.au [172.22.2.4]) by backup.af.speednet.com.au (8.11.4/8.11.4) with ESMTP id f6O1RlA56095 for ; Tue, 24 Jul 2001 11:27:47 +1000 (EST) (envelope-from andyf@speednet.com.au) Date: Tue, 24 Jul 2001 11:27:46 +1000 (EST) From: Andy Farkas X-X-Sender: To: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:49.telnetd (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 23 Jul 2001, FreeBSD Security Advisories wrote: > Topic: telnetd contains remote buffer overflow Well, hate to say this, but several of my systems were cracked into. No need to say any more, it was all my fault... Anyways, there was a process running called 'mingetty' with a zombie /bin/sh right after it... the file was added to /usr/bin and given a time/datestamp similar to the other files to make it look like it was installed with the system ... a line was also added to /etc/rc to start it up on reboot... Heaven knows what else they did, but I just thought I'd send a heads-up, as this was a fairly obvious hack to spot... Bad Andy. No cookie. -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message