From owner-freebsd-hackers Mon Jun 24 10:04:42 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA05799 for hackers-outgoing; Mon, 24 Jun 1996 10:04:42 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA05767; Mon, 24 Jun 1996 10:04:37 -0700 (PDT) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by who.cdrom.com (8.6.12/8.6.11) with ESMTP id KAA09983 ; Mon, 24 Jun 1996 10:04:32 -0700 Received: (from narvi@localhost) by haldjas.folklore.ee (8.6.12/8.6.12) id UAA26632; Mon, 24 Jun 1996 20:05:05 +0300 Date: Mon, 24 Jun 1996 20:05:05 +0300 (EET DST) From: Narvi To: Terry Lambert cc: "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@FreeBSD.ORG, security@FreeBSD.ORG, ache@FreeBSD.ORG Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606240651.XAA27306@phaeton.artisoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Terry Lambert wrote: > > Hmmm. We have reason to believe that he *didn't* get root (though > > we're still assuming he did, just to be paranoid) and if the mod times > > can be trusted, hosts.equiv hasn't been touched in many months (and > > localhost is commented out). > > 1) Do not believe this. Assume he got root. > 2) Assume your password changes are mailed out as cleartext by > your passwd program. > 3) Assumed md5 and checksum have been hacked to lie about > themselves and any other files affected. > 4) Assume system time stamps were changed. > 5) Assume all log files were edited. > 6) Best approach: reinstall the system (from distribution, > not backup --- no telling how long he was there). > 7) Turn off the stupid "password must meet these criteria" > on the password change. All it does is reduce the search > space a hacker needs to apply. > 8) Put spoofing filters on your firewall; basically, look for > the response bit. > 9) Make sure you aren't running routed -q. > 10) Turn of source routing on your gateway, if it's on. Now are there some more things someone who's system was breaked into could look for? Perhaps some passwords should be switched to S/Key - it should be possible to generate them on a remote machine and then install? > > If you need help getting the FBI involved, tell them you had "munitions" > on the machine. ;-). The "secure" part of distribution + DES actually are so by the definition, no matter that he could have downloaded them from much nearer... Sander who is by no means a security specialist > > > Terry Lambert > terry@lambert.org > --- > Any opinions in this posting are my own and not those of my present > or previous employers. >