Date: Thu, 1 Jan 1998 11:18:30 -0500 (EST) From: Steve Hovey <shovey@buffnet.net> To: Randy Katz <randyk@ccsales.com> Cc: questions@FreeBSD.ORG Subject: Re: HACKED (again) Message-ID: <Pine.BSI.3.95.980101111731.24847F-100000@buffnet11.buffnet.net> In-Reply-To: <Pine.BSF.3.91.971231174544.9098A-100000@ccsales.ccsales.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I personally dont trust ssh - I have no other reason not to trust it than that I suffered a root incursion once shortly after installing it - since it was the last thing in, I did not reinstall it when I rebuilt the system. On Wed, 31 Dec 1997, Randy Katz wrote: > Ok, > > Please help me out here. I shut off telnet to a particular host and had > sshd & ftpd (wu beta 15) running with access only from one other host. The > other host had telnetd running and ftpd. > > They got into the host (let's call it host1) as root somehow and changed > an index.html file of a Web Site (bragging). They erased their trail, > blew away wtmp and any log entries... > > The way I know they got in as root is .history in /root had entries of > their activity. > > The other host which could access this server via ssh had no sign of > molestation that I can see. The log files and wtmp were completely in > tact and no entries from anyone other then the intended (only 2 people > log into this machine). > > I WANT TO KNOW HOW THEY DID IT. Can anyone address this? > > I'm NOT asking for a solution about what to do. I just want to know how > they gained access. The machine is FreeBSD 2.2.5 the latest. > > Thanx again, > Randy Katz > ------------------------------------------------------------------ Steve Hovey Chief Engineer BuffNET More Than Just a Connection! ------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.95.980101111731.24847F-100000>