From owner-freebsd-security Sun Aug 27 20:40:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackstar.krsu.edu.kg (blackstar.krsu.edu.kg [195.254.161.130]) by hub.freebsd.org (Postfix) with ESMTP id CEBC837B423 for ; Sun, 27 Aug 2000 20:40:04 -0700 (PDT) Received: from krsu.edu.kg (krsu.edu.kg [195.254.164.3]) by blackstar (8.9.1a/8.9.1) with ESMTP id NAA01934; Fri, 4 Aug 2000 13:04:30 +0600 (KGST) Received: from localhost (slash@localhost) by krsu.edu.kg (8.9.3/8.9.3) with ESMTP id MAA63947; Mon, 21 Aug 2000 12:31:27 +0600 (KGST) (envelope-from slash@krsu.edu.kg) Date: Mon, 21 Aug 2000 12:31:27 +0600 (KGST) From: CrazZzy Slash To: "Vladimir I. Kulakov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: "snmp.sample" in /usr/local/etc/rc.d/ In-Reply-To: <20000820161100Z274714-23170+33643@ajax2.sovam.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! Can you send me your /tmp/install.log? On Sun, 20 Aug 2000, Vladimir I. Kulakov wrote: > Hi, all ! > > I've just moved my server from FreeBSD 2.2.5 to 4.0 due > to total hardware upgrade and many security holes. > > After upgrade I've mounted the hard disk from the previous > mashine and moved all user's data from /usr/home/ from it > to the new hard disk. The new mashine had new root > password, of course. > > But at the next day after upgrade I've suddenly noticed > two new scripts in /usr/local/etc/rc.d/ which intended to > start at every bootup process and which I've never installed. > > Moreover, at the /usr/local/sbin/ there two more > files appeared (snmpd and the second something like this). > I've never installed snmp on that mashine and mtree > tells me such files never existed there. > > In the log files there are nothing special. > > The new system was installed from a "clear" > distribution. > > Was this a troyan programs? How can I check > my server for such security holes? And how > such programs could be installed? > > May be my mistake was mounting my old disk with > securigy holes then working connected to the Internet ? > But how the hacker could execute programs even > from insecure disk on a secure mashine? > > Help me, please !!! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message