Date: Mon, 12 Oct 1998 21:52:42 -0400 (EDT) From: Barrett Richardson <brich@aye.net> To: "Leonard C." <leonardc9@usa.net> Cc: security@FreeBSD.ORG Subject: Re: URGENT! Need help determining scope of attack... Message-ID: <Pine.BSF.3.96.981012213116.17873A-100000@phoenix.aye.net> In-Reply-To: <v04011702b24835d1f943@[10.0.0.2]>
next in thread | previous in thread | raw e-mail | index | archive | help
It's difficult to tell much other attempted connections to the ports mentioned. Are you sure the su to root entries aren't yours? May be worthwhile to find the core dump for telnet -- but it is a signal 3 (like when you ctrl-\) as opposed to a SIGSEGV (which is common when the stack gets munged). The telnet was also for uid 0 which means it was initiated by root. If an attacker already had root access, then he would likely be mucking around with other things than figuring out how to get root access (which he already has) -- unless he wants to camp out there a while and wants more than one means to come and go undetected. When syslogd exited on signal 15, do you know why? Was the machine running a good while without any syslogging? If you can find the core dump, do a 'strings telnet.core' and see if it shows anything that looks like entries from /etc/spwd.db. Normal system activity by admins may explain some of things in your syslog. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981012213116.17873A-100000>