From owner-freebsd-bugs Fri Jan 9 10:30:03 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA26151 for bugs-outgoing; Fri, 9 Jan 1998 10:30:03 -0800 (PST) (envelope-from owner-freebsd-bugs) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA26109; Fri, 9 Jan 1998 10:30:01 -0800 (PST) (envelope-from gnats) Resent-Date: Fri, 9 Jan 1998 10:30:01 -0800 (PST) Resent-Message-Id: <199801091830.KAA26109@hub.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, ken@bolingbroke.com Received: (from nobody@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA25618; Fri, 9 Jan 1998 10:25:14 -0800 (PST) (envelope-from nobody) Message-Id: <199801091825.KAA25618@hub.freebsd.org> Date: Fri, 9 Jan 1998 10:25:14 -0800 (PST) From: ken@bolingbroke.com To: freebsd-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: www-1.0 Subject: conf/5470: Security compromised on new installation of FreeBSD Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Number: 5470 >Category: conf >Synopsis: Security compromised on new installation of FreeBSD >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jan 9 10:30:00 PST 1998 >Last-Modified: >Originator: Ken Bolingbroke >Organization: >Release: 2.2.5-RELEASE >Environment: FreeBSD sacto.bolingbroke.com 2.2.5-RELEASE FreeBSD 2.2.5-RELEASE #0: Tue Oct 2114:33:00 GMT jkh@time.cdrom.com:/usr/src/sys/compile/GENERIC i386 >Description: After initial network installation of FreeBSD, using the /stand/sysinstall utility to add further software removes any modified user db and replaces it with the default including a root account with *no* password. I only noticed this when I got console messages of an attempted root login. My system was compromised and at least one trojan horse was found on this system. Since it was a new installation, I just wiped the hard disk and started over, but using /stand/sysinstall again wiped my new user db and cleared the root password. I haven't isolated the problem, but I'm using /stand/sysinstall after the initial installation because X-Windows doesn't seem to install correctly... >How-To-Repeat: Use /stand/sysinstall to add additional software... >Fix: >Audit-Trail: >Unformatted: