From owner-freebsd-security  Sun Aug 27 20:40:13 2000
Delivered-To: freebsd-security@freebsd.org
Received: from blackstar.krsu.edu.kg (blackstar.krsu.edu.kg [195.254.161.130])
	by hub.freebsd.org (Postfix) with ESMTP id EB9EC37B42C
	for <freebsd-security@FreeBSD.ORG>; Sun, 27 Aug 2000 20:39:52 -0700 (PDT)
Received: from krsu.edu.kg (krsu.edu.kg [195.254.164.3])
	by blackstar (8.9.1a/8.9.1) with ESMTP id SAA27486;
	Fri, 4 Aug 2000 18:55:24 +0600 (KGST)
Received: from localhost (slash@localhost)
	by krsu.edu.kg (8.9.3/8.9.3) with ESMTP id SAA65506;
	Mon, 21 Aug 2000 18:22:13 +0600 (KGST)
	(envelope-from slash@krsu.edu.kg)
Date: Mon, 21 Aug 2000 18:22:13 +0600 (KGST)
From: CrazZzy Slash <slash@krsu.edu.kg>
To: "Vladimir I. Kulakov" <kulakov@kudesniki.ru>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: "snmp.sample" in /usr/local/etc/rc.d/
In-Reply-To: <20000821081020Z277228-23170+34169@ajax2.sovam.com>
Message-ID: <Pine.BSF.4.21.0008211820530.41785-100000@krsu.edu.kg>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

no, i think may be something packet from ports install snmp for himself.. 
look through your logs..

On Mon, 21 Aug 2000, Vladimir I. Kulakov wrote:

> > Hi!
> > 
> >  Can you send me your /tmp/install.log?
> 
> There is no such file !!! :--(
> Do you think it was deleted by a hacker?
> 
> 
> > > Hi, all !
> > > 
> > > I've just moved my server from FreeBSD 2.2.5 to 4.0 due
> > > to total hardware upgrade and many security holes.
> > > 
> > > After upgrade I've mounted the hard disk from the previous
> > > mashine and moved all user's data from /usr/home/ from it 
> > > to the new hard disk. The new mashine had new root 
> > > password, of course.
> > > 
> > > But at the next day after upgrade I've suddenly noticed 
> > > two new scripts in /usr/local/etc/rc.d/ which intended to
> > > start at every bootup process and which I've never installed.
> > > 
> > > Moreover, at the /usr/local/sbin/ there two more
> > > files appeared (snmpd and the second something like this).
> > > I've never installed snmp on that mashine and mtree
> > > tells me such files never existed there.
> > > 
> > > In the log files there are nothing special.
> > > 
> > > The new system was installed from a "clear"
> > > distribution.
> > > 
> > > Was this a troyan programs? How can I check
> > > my server for such security holes? And how
> > > such programs could be installed?
> > > 
> > > May be my mistake was mounting my old disk with
> > > securigy holes then working connected to the Internet ?
> > > But how the hacker could execute programs even
> > > from insecure disk on a secure mashine?
> > > 
> > > Help me, please !!!
> > > 
> > > 
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> > > 
> > 
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message