Date: Tue, 22 Sep 1998 22:52:53 +0200 From: Neil Blakey-Milner <nbm@rucus.ru.ac.za> To: Ping Mai <ping@stepnet.com>, freebsd-isp@FreeBSD.ORG Subject: Re: HELP: hacked by John the Ripper Message-ID: <19980922225253.A17697@rucus.ru.ac.za> In-Reply-To: <199809221554.IAA02712@pushkar.stepnet.com>; from Ping Mai on Tue, Sep 22, 1998 at 08:54:09AM -0700 References: <199809221554.IAA02712@pushkar.stepnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue 1998-09-22 (08:54), Ping Mai wrote: > It seems my system has been hacked. The hacker altered the DNS tables and > left a passwd cracker in /bin. There were DNS db files that were invisible > to "/bin/ls", but they show up from "od" dump of the directory. Can someone > help me to find out how he got in initially? What should I do at this point? > Should I wipe the disk on this system? It would help if you gave versions of FreeBSD, when last you made world, and so forth, but I think the two most likely are qpopper and bind, both of which were about 2/3 months(?) or so ago. At this stage, I'd recommend going to backups (you _do_ have backups, don't you?). If that's not an option, back up /home, /etc, pertinent bits of /var and /usr/local/etc, now, and then nuke the system, install a more recent version of FreeBSD (or install your previous one and cvsup to a newer version). You then have to go through the arduous task of checking your /etc and /var stuff for crontabs, and so forth, and updating to the new /etc format (depending on how old your FreeBSD install was), and then restoring /home. I think that's about it, really. It'd probably be in your best interest to bribe your local FreeBSD guru with lots of coke, chocolate and coffee and enlist his or her help in this. Neil -- Neil Blakey-Milner nbm@rucus.ru.ac.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980922225253.A17697>