From owner-freebsd-questions Sat Jul 28 23:34:58 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 96AED37B403 for ; Sat, 28 Jul 2001 23:34:53 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f6T6Yn859277; Sat, 28 Jul 2001 23:34:49 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Jorge Biquez" , Subject: RE: URGENT - Seems like i've been hacked... what to do now? Date: Sat, 28 Jul 2001 23:34:49 -0700 Message-ID: <003101c117f8$90c14cc0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <5.0.2.1.2.20010728131816.01c8e710@icsmx.com> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG The correct way is to religiously follow the current security advisories. Telnet's only problem is that if any part of the connection passes over a network infrastructure in which sniffing is practical (as opposed to theoretical) then it's not secure. But if that isn't the case, then your increased exposure using Telnet as opposed to SSH is theoretical. If your willing to believe that backbone provider's allow any Joe off the street into their network rooms to attach sniffers, or other equally silly and impractical stories, then you probably would feel better using SSH than Telnet. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jorge Biquez >Sent: Saturday, July 28, 2001 11:23 AM >To: freebsd-questions@FreeBSD.ORG >Subject: Re: URGENT - Seems like i've been hacked... what to do now? > > >Reading this confirms me that I do not know nothing yet.... > >I have FreeBSD 4.2 running for web services of my own. No one else use or >have access to the machine, no other users. But I use telnet as the way to >control my machines. If I read correct the last messages I should disable >telnetd and use alternatives, like SSH services (btw I remember a >discussion a few months ago telling SSH was not the correct way to go >either).... > >What's the best way to stay?. If the path to follow to disable telnetd and >have SSH services running, could you please point me to resources of how to >implement this? > >Thanks in advance. > >JB > >At 01:30 28/07/01 -0400, you wrote: >> > So I should only allow SSH connections? >> > >> > Is there anyway to see what has been modified since a >> > particular date? >> > >> > -Sameer >> >>Yes use SSH, there are great terminal apps out there that are >>freeware like putty and tera term pro that will allow you to >>ssh in from a msft system. >> >>At least unplug it from the internet for now, so the rest of us >>don't have to deal with someone using it to DoS from. :) >> >>You can always check for files with the find -mtime option, >>you can check your wtmp by using "last" and all of that. But >>you'd probably be better off just re-installing for now, unless >>you want the experience of trying to track down what was done. >>If you want to do that, go start reading up on what to do.. but >>unplug the NIC. >> >>Enjoy. >> >>-Russell >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-questions" in the body of the message > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message