From owner-freebsd-questions  Fri Sep 21  9:31: 3 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.the-i-pa.com (mail.the-i-pa.com [151.201.71.132])
	by hub.freebsd.org (Postfix) with SMTP id BBFD137B40A
	for <freebsd-questions@FreeBSD.ORG>; Fri, 21 Sep 2001 09:31:00 -0700 (PDT)
Received: (qmail 83349 invoked from network); 21 Sep 2001 16:41:44 -0000
Received: from unknown (HELO pervasive.redstone.gbg) (151.201.71.153)
  by mail.the-i-pa.com with SMTP; 21 Sep 2001 16:41:44 -0000
Subject: Re: Freebsd being hacked
From: Bill Moran <wmoran@iowna.com>
To: ybbor@freedom.net
Cc: freebsd-questions@FreeBSD.ORG
In-Reply-To: <20010921160628.5AD2337B41A@hub.freebsd.org>
Content-Type: text/plain
X-Mailer: Evolution (0.9 - Preview Release)
Date: 21 Sep 2001 16:18:36 -0400
Mime-Version: 1.0
Message-Id: <20010921163100.BBFD137B40A@hub.freebsd.org>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On 21 Sep 2001 09:06:01 -0700, ybbor@freedom.net wrote:
> Hello,
> 
> I have a Breebsd server.  It was running freebsd 3.x(not exactly sure) and last week somone used that telnet exploit.  so i ran that patch on your site.  then i downloaded the freebsd 4.4 iso and upgraded my system.  
> 
> Today i try to log in to my computer and i can't telnet in to it.  So i went to the box, and i can't log in to it.  on the screen it says there was an 'su pop to toor'.  and that the kernel log was full.  it looks like i was hacked, so i unpluged the comptuer from the network and now i don't know what to do.  
> 
> how do i log in to a comptuer if someone changed the root password and disabled every other account?


Boot into single user mode and you can change any password you want from
there.
Reboot, at the countdown, hit a key, then enter "boot -s"

However, now that your system is compromised, you need to format the
disks, and
completely reinstall FreeBSD from scratch, and change all the passwords.
You have
to assume that everything and anything on that system was compromised.
And that
any data on that system has been accessed by a hostile person!

-Bill


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message