From owner-freebsd-security  Thu Nov 30 07:40:33 1995
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id HAA21123
          for security-outgoing; Thu, 30 Nov 1995 07:40:33 -0800
Received: from wiley.muc.ditec.de (wiley.muc.ditec.de [194.120.126.9])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id HAA20853
          for <security@FreeBSD.ORG>; Thu, 30 Nov 1995 07:39:59 -0800
Received: from vector.eikon.e-technik.tu-muenchen.de (ns059.munich.netsurf.de [194.64.166.59]) by wiley.muc.ditec.de (8.6.12/8.6.9) with ESMTP id QAA08322; Thu, 30 Nov 1995 16:33:06 +0100
Received: from localhost (localhost [127.0.0.1]) by vector.eikon.e-technik.tu-muenchen.de (8.6.12/8.6.9) with SMTP id QAA02524; Thu, 30 Nov 1995 16:25:18 +0100
Message-Id: <199511301525.QAA02524@vector.eikon.e-technik.tu-muenchen.de>
X-Authentication-Warning: vector.eikon.e-technik.tu-muenchen.de: Host localhost didn't use HELO protocol
To: Robert Du Gaue <rdugaue@calweb.com>
cc: security@FreeBSD.ORG, tb@emi.net
Subject: Re: ****HELP***** 
Reply-To: "Julian H. Stacey" <jhs@FreeBSD.ORG>
X-mailer: EXMH version 1.6.4 10/10/95
In-reply-to: Your message of "Thu, 30 Nov 1995 00:00:50 PST."
             <8119.817718450@time.cdrom.com> 
Date: Thu, 30 Nov 1995 16:25:16 +0100
From: "Julian H. Stacey" <jhs@vector.eikon.e-technik.tu-muenchen.de>
Sender: owner-security@FreeBSD.ORG
Precedence: bulk

Hi,
Responding to:
> From: Robert Du Gaue <rdugaue@calweb.com>
> Cc: security@FreeBSD.ORG
> To: "Jordan K. Hubbard" <jkh@time.cdrom.com>
> Subject: Re: ****HELP*****
> Cc: security@FreeBSD.ORG

With reference to the 
> One thing very strange was my user said this guy appeared to be 
> controling him in IRC. He (the perp) was moving the user around from room 
> to room (joining him into gay channels and stuff) and then typing in 
> lines for him also. All with the user watching without able to control 
> what he was doing to him.> 

Ref. the IRC bit ...

Sounds like one of the attack methods may be getting hold of your 
X Display too ?
A friend Tom Bagley <tb@emi.net> did a demo for me years ago, to show me my
X session was unsafe (innocent demo I might add, nothing nasty).
Anyway, ask Tom how to sew that particular hole up (I can't remember)
that'll still leave all the other holes of to block of course.

I'm no security wizz unfortunately,
But for background reading, you might want to check out URLs on my
	http://www.freebsd.org/~jhs/computing.html	(Security section)
In particular perhaps this might help ?
	Security Alert Report Authorities 
      	CERT Coordination Center Software Engineering Institute 
	Carnegie Mellon University Pittsburgh, PA 15213-3890   <cert@cert.org>

Julian
---
Julian H. Stacey	jhs@freebsd.org  	http://www.freebsd.org/~jhs/