From owner-freebsd-isp  Tue Sep 22 10:20:28 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA14815
          for freebsd-isp-outgoing; Tue, 22 Sep 1998 10:20:28 -0700 (PDT)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from terror.hungry.com (terror.hungry.com [199.181.107.40])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA14737
          for <freebsd-isp@freebsd.org>; Tue, 22 Sep 1998 10:20:12 -0700 (PDT)
          (envelope-from fn@hungry.com)
Received: (qmail 12795 invoked by uid 507); 22 Sep 1998 17:19:41 -0000
To: freebsd-isp@FreeBSD.ORG
Subject: Re: HELP: hacked by John the Ripper
References: <199809221554.IAA02712@pushkar.stepnet.com>
From: Faried Nawaz <self@partners-in-light.chai.org>
Date: 22 Sep 1998 10:19:39 -0700
In-Reply-To: ping@stepnet.com's message of 22 Sep 1998 09:43:52 -0700
Message-ID: <lw67eggj4k.fsf@terror.hungry.com>
Lines: 16
X-Mailer: Gnus v5.4.37/XEmacs 19.16
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

ping@stepnet.com (Ping Mai) writes:

  It seems my system has been hacked.  The hacker altered the DNS tables and
  left a passwd cracker in /bin.  There were DNS db files that were invisible
  to "/bin/ls", but they show up from "od" dump of the directory.  Can someone
  help me to find out how he got in initially?

Can you display the files by going into the name directory and typing
"echo *"?  Can you read them via an editor?


  What should I do at this point?
  Should I wipe the disk on this system?

If you're certain that you've been hacked, yes.
How do you think they got in?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message