From owner-freebsd-security  Wed Nov 29 23:50:38 1995
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id XAA04784
          for security-outgoing; Wed, 29 Nov 1995 23:50:38 -0800
Received: from time.cdrom.com (time.cdrom.com [192.216.222.226])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id XAA04779
          for <security@freebsd.org>; Wed, 29 Nov 1995 23:50:35 -0800
Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.6.12/8.6.9) with SMTP id XAA07924 for <security@freebsd.org>; Wed, 29 Nov 1995 23:48:11 -0800
To: security@freebsd.org
Subject: Robert Du Gaue: ****HELP*****
Date: Wed, 29 Nov 1995 23:48:11 -0800
Message-ID: <7921.817717691@time.cdrom.com>
From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
Sender: owner-security@freebsd.org
Precedence: bulk

Argh.  Anyone here care to do a little sleuthing for this FreeBSD-using
service provider?

						Jordan
------- Forwarded Message

Return-Path: rdugaue@web3.calweb.com
Received: from calweb.calweb.com (calweb.calweb.com [165.90.138.3]) by time.cdrom.com (8.6.12/8.6.9) with ESMTP id VAA05579 for <jkh@time.cdrom.com>; Wed, 29 Nov 1995 21:18:24 -0800
Received: from web3.calweb.com by calweb.calweb.com via ESMTP (8.6.12/940406.SGI.AUTO)
	for <jkh@calweb.com> id FAA20984; Thu, 30 Nov 1995 05:21:28 GMT
Received: (from rdugaue@localhost) by web3.calweb.com (8.7/8.6.9) id VAA07285; Wed, 29 Nov 1995 21:21:29 -0800 (PST)
Date: Wed, 29 Nov 1995 21:21:28 -0800 (PST)
From: Robert Du Gaue <rdugaue@calweb.com>
To: "Jordan K. Hubbard" <jkh@calweb.com>
Subject: ****HELP*****
Message-ID: <Pine.BSF.3.91.951129211638.7134A-100000@web3.calweb.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Well, we've got a major problem I'm hoping you can solve. Yesterday a 
user (know pirate) pissed off another hacker and somehow he got into the 
system and deleted the users directory, took our pw file (cated out in an 
IRC channel with the encrypted pws). We immediately check our systems, 
found sendmail to be 8.9, upgraded all these sendmails to 8.7, blocked 2 
class addresses that he may have came from, removed root from ftp on one 
of the machines, and deleted all the lp stuff (since we have no printers).

Checked for suid programs. Well, we restored the directory, and it got 
deleted again tonight. We have no idea how he is doing this. He's changed 
a the /etc/raddb/users file (removed the user from the file) also. In a 
word, I'm stuck, we're unsure of how he's doing it and I'm very scared 
right now that he'll do something major to the system.

------- End of Forwarded Message