From owner-freebsd-isp  Tue Sep 22 08:54:44 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA27129
          for freebsd-isp-outgoing; Tue, 22 Sep 1998 08:54:44 -0700 (PDT)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from pushkar.stepnet.com (pushkar.stepnet.com [206.14.120.103])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA27114
          for <freebsd-isp@freebsd.org>; Tue, 22 Sep 1998 08:54:40 -0700 (PDT)
          (envelope-from ping@stepnet.com)
Received: (from ping@localhost)
	by pushkar.stepnet.com (8.8.8/8.8.8) id IAA02712
	for freebsd-isp@freebsd.org; Tue, 22 Sep 1998 08:54:09 -0700 (PDT)
	(envelope-from ping)
From: Ping Mai <ping@stepnet.com>
Message-Id: <199809221554.IAA02712@pushkar.stepnet.com>
Subject: HELP: hacked by John the Ripper
To: freebsd-isp@FreeBSD.ORG
Date: Tue, 22 Sep 1998 08:54:09 -0700 (PDT)
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

It seems my system has been hacked.  The hacker altered the DNS tables and
left a passwd cracker in /bin.  There were DNS db files that were invisible
to "/bin/ls", but they show up from "od" dump of the directory.  Can someone
help me to find out how he got in initially?  What should I do at this point?
Should I wipe the disk on this system?

Thansk in advance,
ping


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message