From owner-freebsd-security Thu Nov 30 00:54:36 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id AAA08864 for security-outgoing; Thu, 30 Nov 1995 00:54:36 -0800 Received: from web1.calweb.com (root@web1.calweb.com [165.90.138.10]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id AAA08859 for ; Thu, 30 Nov 1995 00:54:28 -0800 Received: (from rdugaue@localhost) by web1.calweb.com (8.7/8.6.9) id AAA17336; Thu, 30 Nov 1995 00:55:11 -0800 (PST) Date: Thu, 30 Nov 1995 00:55:10 -0800 (PST) From: Robert Du Gaue To: "Jordan K. Hubbard" cc: security@freebsd.org Subject: Re: ****HELP***** In-Reply-To: <8119.817718450@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk > Hmmmmmm. A couple of things that confuse me here.. You say you > "upgraded" sendmail 8.9 to 8.7? :) I can ask around, but I wasn't This was sendmail 8.6.9, I thought we were runing 8.6.12 on all the machines, but weren't. They are now running 8.7. I'm told 8.6.9 had a serious security flaw in it, at least that's what the history docs say in 8.7.2 also. > Second, I assume you've deleted the account of the person being attacked? Well it's a regular user. Is this the normal method? Reassign him a new login id? One thing is though is that he's a dedicated fix-ip account too with a registered domain so I'm hesitate to disable his system because of something someone is doing to him. I can remove his locally account, but the hacker has also gone into the radius /etc/raddb/users file and removed his fixed IP login also. > I'm curious how he got ahold of the real password file - are you sure > it wasn't just the shadow passwords? When we speficially asked the user if there was an '*' in the second field he said 'no, a bunch of garbage characters'. > If you can give us more clues, we can both give you avenues to follow > in securing your system and track down the method(s) the perp is using. One thing very strange was my user said this guy appeared to be controling him in IRC. He (the perp) was moving the user around from room to room (joining him into gay channels and stuff) and then typing in lines for him also. All with the user watching without able to control what he was doing to him. > Also, please don't be afraid to employ legal means. What this hacker > has done is a felony and and should be made an example of to the > fullest extent provided by the law. Most data crime units in the > various PDs are fairly eager, actually - it's budget time! :-) Really???? Has Law Enforcement finally figured out this is serious shit? I was under the impression that most agenices have no clue on what to do and how to do anything about it. > > Also, the security@freebsd.org list is available for discussing > security issues with other admins throughout the world, many of whom > are pretty good. I'm sure at least one or two people here will have > some first tips for you to try (security isn't really my bag, to be > honest!). Ok, thanks! I'll subscribe to this one. > > Anyway, I'd be happy to help you out, but we obviously need more > information about what this guy is actually up to.. Any log info or > anything else you think may be relevant? Thanks. So far we've started blocking these services at our router: tftpd nfs portmapper bootp (client and server) finger (IE,67 68 69 79 2049) nntp outside our domain any IP requests coming into our router that is not in our domain. All machines are running 8.7 with the exception of the SGI which is running 8.6.12. I've installed tcp_wrappers on all the FreeBSD systems and will be configuring that in tommorrow morning.