From owner-freebsd-security  Mon Jul 28 17:22:51 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id RAA16047
          for security-outgoing; Mon, 28 Jul 1997 17:22:51 -0700 (PDT)
Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA16036
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 17:22:46 -0700 (PDT)
Received: from orion.webspan.net (orion.webspan.net [206.154.70.5])
          by mail.webspan.net (WEBSPAN/970608) with ESMTP id UAA22876;
          Mon, 28 Jul 1997 20:22:21 -0400 (EDT)
Received: from orion.webspan.net (localhost [127.0.0.1])
          by orion.webspan.net (WEBSPAN/970608) with ESMTP id UAA03751;
          Mon, 28 Jul 1997 20:22:21 -0400 (EDT)
To: Vincent Poy <vince@mail.MCESTATE.COM>
cc: security@FreeBSD.ORG, "[Mario1-]" <mario1@PrimeNet.Com>,
        JbHunt <johnnyu@accessus.net>
From: "Gary Palmer" <gpalmer@FreeBSD.ORG>
Subject: Re: security hole in FreeBSD 
In-reply-to: Your message of "Mon, 28 Jul 1997 03:19:55 PDT."
             <Pine.BSF.3.95.970728031228.3844A-100000@mail.MCESTATE.COM> 
Date: Mon, 28 Jul 1997 20:22:21 -0400
Message-ID: <3749.870135741@orion.webspan.net>
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Vincent Poy wrote in message ID
<Pine.BSF.3.95.970728031228.3844A-100000@mail.MCESTATE.COM>:
> 	Saw the user on irc posting the password of earth with the login
> name root.  Any ideas?

Take the machine offline and reinstall the *ENTIRE* thing. You have
been root kitted, which allows remote access & hiding of remote
access, without any daemons needed to be running.

Gary
--
Gary Palmer                                          FreeBSD Core Team Member
FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info