From owner-freebsd-questions Thu Oct 18 9: 8:32 2001 Delivered-To: freebsd-questions@freebsd.org Received: from P7.mpionline.com (dsl-mw-209-115-240-i249-edm.nucleus.com [209.115.240.249]) by hub.freebsd.org (Postfix) with ESMTP id 8CF4437B405 for ; Thu, 18 Oct 2001 09:08:27 -0700 (PDT) Received: from P5 (P5.mpionline.com [209.115.240.246]) by P7.mpionline.com (8.11.3/8.11.3) with SMTP id f9IGAC804173 for ; Thu, 18 Oct 2001 10:10:12 -0600 (MDT) (envelope-from tomek@mpionline.com) Message-ID: <018801c157ef$37ec0720$f6f073d1@mpionline.com> From: "Tomek" To: References: <20011018131823.Y621-100000@jodie.ncptiddische.net> <011e01c157cf$9b401700$f6f073d1@mpionline.com> <20011018165057.V3734@ns2.wananchi.com> <01e701c157e4$f012abc0$f6f073d1@mpionline.com> <20011018180513.C3734@ns2.wananchi.com> <20011018114805.E70327@acadia.ne.mediaone.net> Subject: Re: I got hacked, I think Date: Thu, 18 Oct 2001 10:09:08 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > One reason why a bootup password would help on a system you can't keep > physically secure. Not really a concern because the computer is physically very secure. > I don't have a Broot either. What version of FreeBSD are you running? > I have root and toor as the only uid 0 accounts. Just looking at google will show that MANY people have it. As I mentioned previously, I have: VERSION: FreeBSD 4.3-RELEASE (GENERIC) #0: Sat Apr 21 10:54:49 GMT 2001 > This is probably part of the inn port. This person may have set you We have a news server running, but that is not the problem, the problem is that we have not touched or changed the news server in at least several months, so to have it suddenly record changes is not normal. > I'd say backup everything for evidence/tracking/study/etc. and reinstall. Problem is that I can't find anything, so I am hoping the next time they do something I WILL find something. Its clear they installed sudo, they hacked the system, they are changing file permissions AND covering sudo tracks in logs. Clearly they have not COMPLETELY broken root because they would have deleted their l-x user tracks and just used root instead. I need to find out WHAT this person wants and what they have already done. As for Broot... that concerns me, does anyone else HAVE it, or am I only one? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message