Date: Wed, 06 Dec 2000 10:24:49 -0600 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Marc Rassbach <marc@milestonerdl.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Move along, nothing to see here. Re: Important!! Vulnerabili ty in standard ftpd Message-ID: <4.3.2.20001206101651.0285d4b0@207.227.119.2> In-Reply-To: <Pine.BSF.4.21.0012020856030.16738-100000@tandem.milestoner dl.com> References: <20001202144502.A1968@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:23 AM 12/2/00 -0600, Marc Rassbach wrote: >I've seen it also. 3 Linux boxes, and one FreeBSD 2.2.7 The 3 linux >boxes were trojaned in different ways (different people). 2 of them had >ssh *ADDED* just so they could start capturing passwords. (the client >wasn't using ssh) Password >sniffing, etc la. They had the root password for the FreeBSD box for >about a month. > >They kept placing Linux binaries on the FreeBSD box. The box would run >"wierd" according to the customer. They were going to move over to a new >FreeBSD box....so fixing the 2.2.7 box wasn't important :-) Another reason why many should use binary upgrades for a fresh start. When in doubt nuke it. Even so, I like to do a drive swap upgrade to start completely fresh. >After the linux boxen were used to portscan other boxes, did I get to >scrub the BSD box :-) The Linux boxes....they were all re-installed from >scratch. They couldn't find ALL the trojans with the linux box. From >the BSD side.... make world and the script kiddies were gone. Audits suck, period. No matter the tools used. Hopefully you didn't trust the sources on the compromised server without being sure they were clean. Not a good impression to give. Imagine the tool chain could be used, but you did say script kiddies. ;) In light of that, one should always protect local source code. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.20001206101651.0285d4b0>