From owner-freebsd-questions  Thu Jan  1 08:20:13 1998
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA18697
          for questions-outgoing; Thu, 1 Jan 1998 08:20:13 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from buffnet4.buffnet.net (buffnet4.buffnet.net [205.246.19.13])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA18640
          for <questions@FreeBSD.ORG>; Thu, 1 Jan 1998 08:20:03 -0800 (PST)
          (envelope-from shovey@buffnet.net)
Received: from buffnet11.buffnet.net (buffnet11.buffnet.net [205.246.19.55]) by buffnet4.buffnet.net (8.7.5/8.7.3) with SMTP id LAA04869; Thu, 1 Jan 1998 11:18:56 -0500 (EST)
Date: Thu, 1 Jan 1998 11:18:30 -0500 (EST)
From: Steve Hovey <shovey@buffnet.net>
To: Randy Katz <randyk@ccsales.com>
cc: questions@FreeBSD.ORG
Subject: Re: HACKED (again)
In-Reply-To: <Pine.BSF.3.91.971231174544.9098A-100000@ccsales.ccsales.com>
Message-ID: <Pine.BSI.3.95.980101111731.24847F-100000@buffnet11.buffnet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


I personally dont trust ssh - I have no other reason not to trust it than
that I suffered a root incursion once shortly after installing it - since
it was the last thing in, I did not reinstall it when I rebuilt the
system.

On Wed, 31 Dec 1997, Randy Katz wrote:

> Ok,
> 
> Please help me out here. I shut off telnet to a particular host and had 
> sshd & ftpd (wu beta 15) running with access only from one other host. The 
> other host had telnetd running and ftpd.
> 
> They got into the host (let's call it host1) as root somehow and changed 
> an index.html file of a Web Site (bragging). They erased their trail, 
> blew away wtmp and any log entries...
> 
> The way I know they got in as root is .history in /root had entries of 
> their activity.
> 
> The other host which could access this server via ssh had no sign of 
> molestation that I can see. The log files and wtmp were completely in 
> tact and no entries from anyone other then the intended (only 2 people 
> log into this machine).
> 
> I WANT TO KNOW HOW THEY DID IT. Can anyone address this?
> 
> I'm NOT asking for a solution about what to do. I just want to know how 
> they gained access. The machine is FreeBSD 2.2.5 the latest.
> 
> Thanx again,
> Randy Katz
> 

------------------------------------------------------------------
Steve Hovey
Chief Engineer
BuffNET		More Than Just a Connection!
------------------------------------------------------------------