From owner-freebsd-security Thu Nov 30 00:03:33 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id AAA05610 for security-outgoing; Thu, 30 Nov 1995 00:03:33 -0800 Received: from time.cdrom.com (time.cdrom.com [192.216.222.226]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id AAA05605 for ; Thu, 30 Nov 1995 00:03:29 -0800 Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.6.12/8.6.9) with SMTP id AAA08121; Thu, 30 Nov 1995 00:00:50 -0800 To: Robert Du Gaue Cc: security@freebsd.org Subject: Re: ****HELP***** In-reply-to: Your message of "Wed, 29 Nov 1995 21:21:28 PST." Date: Thu, 30 Nov 1995 00:00:50 -0800 Message-ID: <8119.817718450@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org Precedence: bulk Hmmmmmm. A couple of things that confuse me here.. You say you "upgraded" sendmail 8.9 to 8.7? :) I can ask around, but I wasn't aware of anything too pathologically wrong with either version. Second, I assume you've deleted the account of the person being attacked? I'm curious how he got ahold of the real password file - are you sure it wasn't just the shadow passwords? If you can give us more clues, we can both give you avenues to follow in securing your system and track down the method(s) the perp is using. Also, please don't be afraid to employ legal means. What this hacker has done is a felony and and should be made an example of to the fullest extent provided by the law. Most data crime units in the various PDs are fairly eager, actually - it's budget time! :-) Also, the security@freebsd.org list is available for discussing security issues with other admins throughout the world, many of whom are pretty good. I'm sure at least one or two people here will have some first tips for you to try (security isn't really my bag, to be honest!). Anyway, I'd be happy to help you out, but we obviously need more information about what this guy is actually up to.. Any log info or anything else you think may be relevant? Thanks. Jordan > Well, we've got a major problem I'm hoping you can solve. Yesterday a > user (know pirate) pissed off another hacker and somehow he got into the > system and deleted the users directory, took our pw file (cated out in an > IRC channel with the encrypted pws). We immediately check our systems, > found sendmail to be 8.9, upgraded all these sendmails to 8.7, blocked 2 > class addresses that he may have came from, removed root from ftp on one > of the machines, and deleted all the lp stuff (since we have no printers). > > Checked for suid programs. Well, we restored the directory, and it got > deleted again tonight. We have no idea how he is doing this. He's changed > a the /etc/raddb/users file (removed the user from the file) also. In a > word, I'm stuck, we're unsure of how he's doing it and I'm very scared > right now that he'll do something major to the system.