From owner-freebsd-questions Sun Sep 23 12: 8:24 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mtiwmhc24.worldnet.att.net (mtiwmhc24.worldnet.att.net [204.127.131.49]) by hub.freebsd.org (Postfix) with ESMTP id 5C72F37B41D for ; Sun, 23 Sep 2001 12:08:20 -0700 (PDT) Received: from tomcat ([12.93.210.229]) by mtiwmhc24.worldnet.att.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010923190819.LYYF21828.mtiwmhc24.worldnet.att.net@tomcat>; Sun, 23 Sep 2001 19:08:19 +0000 From: "Andrew C. Hornback" To: Cc: Subject: RE: Freebsd being hacked Date: Sun, 23 Sep 2001 15:08:06 -0400 Message-ID: <009b01c14463$13e96b00$0e00000a@tomcat> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <3BAB66EB.2C80217B@home.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Rob > Sent: Friday, September 21, 2001 12:12 PM > To: ybbor@freedom.net > Cc: freebsd-questions@FreeBSD.ORG > Subject: Re: Freebsd being hacked > > > ybbor@freedom.net wrote: > > > > Hello, > > > > I have a Breebsd server. It was running freebsd 3.x(not exactly sure) > > and last week somone used that telnet exploit. so i ran that patch on > > your site. then i downloaded the freebsd 4.4 iso and upgraded my > > system. > > > > Today i try to log in to my computer and i can't telnet in to it. So > > i went to the box, and i can't log in to it. on the screen it says > > there was an 'su pop to toor'. and that the kernel log was full. it > > looks like i was hacked, so i unpluged the comptuer from the network > > and now i don't know what to do. > > > > how do i log in to a comptuer if someone changed the root password and > > disabled every other account? > > I'd reinstall the OS from an ISO disk. Others with more experience in > this might have a better solution. You're going to have to do a little more than that, I imagine. Format the drive and reinstall, not just re-install. Going to have to back up everything off of the drive that you want to keep, put it in a "quarantine" area, as any executables on the system may have been compromised, reinstall and step your way through reinstalling your data. I believe this is the same general advice you get any time you've been hacked. --- Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message