From owner-freebsd-security Tue May 7 7:37:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from koibito.iisc.com (koibito.iisc.com [198.5.5.5]) by hub.freebsd.org (Postfix) with ESMTP id E8C1637B40B for ; Tue, 7 May 2002 07:37:19 -0700 (PDT) Received: from koibito.iisc.com ([127.0.0.1]) by koibito.iisc.com (8.9.0/8.9.0) with ESMTP id KAA23748; Tue, 7 May 2002 10:36:59 -0400 (EDT) Message-Id: <200205071436.KAA23748@koibito.iisc.com> To: sam@wa4phy.net, security@FreeBSD.ORG Subject: Re: Woot project In-Reply-To: Your message of "Mon, 06 May 2002 21:00:02 EDT." <3CD72712.37CB5750@vortex.wa4phy.net> Date: Tue, 07 May 2002 10:36:59 -0400 From: "Charles M. Richmond" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I don't have SSH-1 or 2 active at the moment, That you know of... If your machine has been hacked previously, then that hacker probably left an sshd running as part of his rootkit. It may not be named sshd of course and it does have a back door. Or as you ask below, there is another vector of attack. I had a FreeBSD box hacked and until I figure out how it was done, I can't put it back in the network. Hmmm... maybe I'll put WK2 on it. )-: > so I'm wondering how access was gained. Have > searched all the log files for unusual activity, and nothing is apparent > so far. The message left at the bottom of my main page was: > > FreeBSD vortex.wa4phy.net 4.5-STABLE sexcii... - [sYn] of woot-project > > Aside from the SSH-1 vulunerabilities, is there any other known > entry points associated with this cracker group? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message