From owner-freebsd-isp  Tue Sep 22 13:44:41 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA25017
          for freebsd-isp-outgoing; Tue, 22 Sep 1998 13:44:41 -0700 (PDT)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from peak.mountin.net ([207.227.119.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA24902
          for <freebsd-isp@FreeBSD.ORG>; Tue, 22 Sep 1998 13:44:16 -0700 (PDT)
          (envelope-from jeff-ml@mountin.net)
Received: (from daemon@localhost)
	by peak.mountin.net (8.9.1/8.9.1) id PAA26929;
	Tue, 22 Sep 1998 15:43:42 -0500 (CDT)
Received: from luthien-20.isdn.mke.execpc.com(169.207.65.20) by peak.mountin.net via smap (V1.3)
	id sma026925; Tue Sep 22 15:43:35 1998
Message-Id: <3.0.3.32.19980922154230.00702db4@207.227.119.2>
X-Sender: jeff-ml@207.227.119.2
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 22 Sep 1998 15:42:30 -0500
To: Ping Mai <ping@stepnet.com>, freebsd-isp@FreeBSD.ORG
From: "Jeffrey J. Mountin" <jeff-ml@mountin.net>
Subject: Re: HELP: hacked by John the Ripper
In-Reply-To: <199809221554.IAA02712@pushkar.stepnet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 08:54 AM 9/22/98 -0700, Ping Mai wrote:
>It seems my system has been hacked.  The hacker altered the DNS tables and
>left a passwd cracker in /bin.  There were DNS db files that were invisible
>to "/bin/ls", but they show up from "od" dump of the directory.  Can someone
>help me to find out how he got in initially?  What should I do at this point?
>Should I wipe the disk on this system?

I'd take the server offline and replace the drive the OS is on.  This would allow you to check out the hack in detail, which you can then work on a solution and you have evidence.  Good idea to send a message to CERT as well as possibly contacting the FBI, if it means enough to you.

Otherwise wipe the disk and reinstall.  If you have more than one disk, make sure that there are no other suprises waiting and screen what you save.


Jeff Mountin - Unix Systems TCP/IP networking
jeff@mountin.net

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message