From owner-freebsd-security Mon Jul 28 17:31:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA16825 for security-outgoing; Mon, 28 Jul 1997 17:31:00 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA16813; Mon, 28 Jul 1997 17:30:50 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id RAA07313; Mon, 28 Jul 1997 17:30:45 -0700 (PDT) Date: Mon, 28 Jul 1997 17:30:44 -0700 (PDT) From: Vincent Poy To: Gary Palmer cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <3749.870135741@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Gary Palmer wrote: =)Vincent Poy wrote in message ID =): =)> Saw the user on irc posting the password of earth with the login =)> name root. Any ideas? =) =)Take the machine offline and reinstall the *ENTIRE* thing. You have =)been root kitted, which allows remote access & hiding of remote =)access, without any daemons needed to be running. Machines are offline already. The hacker confronted us and said that it was the default .rhosts file that came in the FreeBSD root account and he used perl5.00401 which had a security hole and then used rlogin to login to another machine without the password. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]