From owner-freebsd-security  Wed Jul 29 13:09:07 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA16595
          for freebsd-security-outgoing; Wed, 29 Jul 1998 13:09:07 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA16577
          for <security@freebsd.org>; Wed, 29 Jul 1998 13:08:53 -0700 (PDT)
          (envelope-from bs@devnull.ruhr.de)
Received: (from admin@localhost)
	by mail.ruhrgebiet.individual.net (8.8.5-r-beta/8.8.5) with UUCP id VAA02027;
	Wed, 29 Jul 1998 21:50:52 +0200 (MET DST)
Received: from [192.168.22.75] (helo=rm.devnull.ruhr.de)
	by devnull.ruhr.de with esmtp (Exim 1.92 #1)
	id 0z1c3V-0000rs-00; Wed, 29 Jul 1998 21:38:33 +0200
Received: from bs by rm.devnull.ruhr.de with local (Exim 1.92 #1)
	id 0z1c3U-0000cb-00; Wed, 29 Jul 1998 21:38:32 +0200
To: "Show Boat" <showboat@hotmail.com>
Cc: security@FreeBSD.ORG
Subject: Re: Post qpopper trauma
References: <19980728211125.14099.qmail@hotmail.com>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
From: Benedikt Stockebrand <benedikt@devnull.ruhr.de>
Date: 29 Jul 1998 21:38:30 +0200
In-Reply-To: "Show Boat"'s message of "Tue, 28 Jul 1998 14:11:24 PDT"
Message-ID: <87g1fksb0p.fsf@devnull.ruhr.de>
Lines: 43
X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

"Show Boat" <showboat@hotmail.com> writes:

> I've looked through the 'last' log extensively.  Again, nothing I cannot 
> account for.  Anyone with potential root access (sudo) logged from an IP 
> I can account for.  

Are you sure that those machines haven't been hacked?


Aside from that, a couple additional suggestions:

- Use "netstat -a -n" to learn about services you don't expect.  And
  don't believe the service numbers in your /etc/services but look
  things up (maybe on an installation CD-ROM?).

- If you have a spare machine (any 386 with some disk space will do),
  make it a secured log host.  IOW, make it close all ports except
  syslog and read logs directly on the console.  And maybe hack up
  some tcpdump stuff on it to see about unexpected things going on.

- Use tripwire to check if any files have been modified.  This
  especially includes configuration files.

- Consider using RCS or CVS for managing your config files.  But keep
  the repositories out of everyones reach.

- Install from scratch.

- When you restore the user home directories etc. check for suid/sgid
  files.

- Install packet filters wherever feasible.


So long,

    Ben

-- 
Ben(edikt)? Stockebrand    Un*x SA
My name and email address are not to be added to any list used for advertising
purposes.  Any sender of unsolicited advertisement e-mail to this address im-
plicitly agrees to pay a DM 500 fee to the recipient for proofreading services.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message