From owner-freebsd-security Wed Dec 6 8:26:35 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 6 08:26:32 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id D1CF037B401 for ; Wed, 6 Dec 2000 08:26:31 -0800 (PST) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id KAA11091; Wed, 6 Dec 2000 10:26:29 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-104.max1.wa.cyberlynk.net(207.227.118.104) by peak.mountin.net via smap (V1.3) id sma011058; Wed Dec 6 10:25:53 2000 Message-Id: <4.3.2.20001206101651.0285d4b0@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Wed, 06 Dec 2000 10:24:49 -0600 To: Marc Rassbach From: "Jeffrey J. Mountin" Subject: Re: Move along, nothing to see here. Re: Important!! Vulnerabili ty in standard ftpd Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <20001202144502.A1968@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:23 AM 12/2/00 -0600, Marc Rassbach wrote: >I've seen it also. 3 Linux boxes, and one FreeBSD 2.2.7 The 3 linux >boxes were trojaned in different ways (different people). 2 of them had >ssh *ADDED* just so they could start capturing passwords. (the client >wasn't using ssh) Password >sniffing, etc la. They had the root password for the FreeBSD box for >about a month. > >They kept placing Linux binaries on the FreeBSD box. The box would run >"wierd" according to the customer. They were going to move over to a new >FreeBSD box....so fixing the 2.2.7 box wasn't important :-) Another reason why many should use binary upgrades for a fresh start. When in doubt nuke it. Even so, I like to do a drive swap upgrade to start completely fresh. >After the linux boxen were used to portscan other boxes, did I get to >scrub the BSD box :-) The Linux boxes....they were all re-installed from >scratch. They couldn't find ALL the trojans with the linux box. From >the BSD side.... make world and the script kiddies were gone. Audits suck, period. No matter the tools used. Hopefully you didn't trust the sources on the compromised server without being sure they were clean. Not a good impression to give. Imagine the tool chain could be used, but you did say script kiddies. ;) In light of that, one should always protect local source code. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message