From owner-freebsd-questions Sun Sep 30 6:36:10 2001 Delivered-To: freebsd-questions@freebsd.org Received: from jason-n3xt.org (42.mujb.dlls.dllstxbk.dsl.att.net [12.98.249.42]) by hub.freebsd.org (Postfix) with ESMTP id 9843A37B40C for ; Sun, 30 Sep 2001 06:36:06 -0700 (PDT) Received: from localhost (jason@localhost) by jason-n3xt.org (8.11.6/8.11.5) with ESMTP id f8UDZw106607; Sun, 30 Sep 2001 13:35:59 GMT (envelope-from jason@jason-n3xt.org) Date: Sun, 30 Sep 2001 13:35:58 +0000 (GMT) From: Jason To: Doug Reynolds Cc: FreeBSD , "questions@freebsd.org" Subject: Re: I was rooted using telnet In-Reply-To: <200109300608.f8U68gK04314@jason-n3xt.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I personally only use ssh when I am remote. I don't think that is the problem. No one else has privileges on my box and I don't su remotely unless it's something that can't possibly wait until I get home. --- Jason jason@jason-n3xt.org On Sun, 30 Sep 2001, Doug Reynolds wrote: > On Sun, 30 Sep 2001 00:38:38 +0000 (GMT), Jason wrote: > > >I do recall the security notice. I read it on the website and from the > >security list. I was already planning a cvsup at the time and I asked a > >couple of BSD gurus I know if that when I update my sources by cvsup, > >would that take care of the problem. They told me it would. So a couple > >of days after I saw the security advisory I cvsuped from > >cvsup2.FreeBSD.org (i usually only use 2 or 3) and thought the problem was > >taken care of. I don't recall seeing any other advisories. > > the only thing i can think of is if they hacked u, they probably > grabbed your root password and logged on with it. _always_ ssh when > you su > > > > > >> Were you running a ver of FreeBSD prior to July 23, 2001? Versions prior > >> to July 23 had a remotely rootable telnetd as per > >> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.v1.1.asc > >> > >> On Sat, 29 Sep 2001, Jason wrote: > >> > >> > Hello: > >> > > >> > A couple of days ago I was rooted by someone using a telnet exploit. I > >> > have been cvsup'ing my sources regularly and was using 4.4-RC at the > >> > time. I've since moved to 4.4-STABLE. It looks like they used some kind > >> > of script. I still have it if anyone wants it. Since then I have turned > >> > off telnet in inetd and blocked the port with a firewall. > >> > > >> > Anyone have any ideas on how a person could do this? I looks like this > >> > script just tries to move a lot of data for a long period of time. > >> > > >> > --- > >> > Jason > >> > jason@jason-n3xt.org > >> > > >> > > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > with "unsubscribe freebsd-questions" in the body of the message > >> > > >> > > >> > > >> > >> > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > > --- > doug reynolds | the maverick | mav@wastegate.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message