From owner-freebsd-security Mon Oct 12 19:00:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA03283 for freebsd-security-outgoing; Mon, 12 Oct 1998 19:00:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA03275 for ; Mon, 12 Oct 1998 19:00:44 -0700 (PDT) (envelope-from brich@aye.net) Received: (qmail 26509 invoked by uid 7506); 13 Oct 1998 01:52:43 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Oct 1998 01:52:42 -0000 Date: Mon, 12 Oct 1998 21:52:42 -0400 (EDT) From: Barrett Richardson To: "Leonard C." cc: security@FreeBSD.ORG Subject: Re: URGENT! Need help determining scope of attack... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's difficult to tell much other attempted connections to the ports mentioned. Are you sure the su to root entries aren't yours? May be worthwhile to find the core dump for telnet -- but it is a signal 3 (like when you ctrl-\) as opposed to a SIGSEGV (which is common when the stack gets munged). The telnet was also for uid 0 which means it was initiated by root. If an attacker already had root access, then he would likely be mucking around with other things than figuring out how to get root access (which he already has) -- unless he wants to camp out there a while and wants more than one means to come and go undetected. When syslogd exited on signal 15, do you know why? Was the machine running a good while without any syslogging? If you can find the core dump, do a 'strings telnet.core' and see if it shows anything that looks like entries from /etc/spwd.db. Normal system activity by admins may explain some of things in your syslog. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message