From owner-freebsd-security Fri Nov 6 09:07:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA26876 for freebsd-security-outgoing; Fri, 6 Nov 1998 09:07:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gutenberg.uoregon.edu (gutenberg.uoregon.edu [128.223.56.211]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA26867 for ; Fri, 6 Nov 1998 09:07:56 -0800 (PST) (envelope-from sharding@gutenberg.uoregon.edu) Received: from localhost (sharding@localhost) by gutenberg.uoregon.edu (8.9.1/8.9.1) with SMTP id JAA17465; Fri, 6 Nov 1998 09:10:30 -0800 (PST) Date: Fri, 6 Nov 1998 09:10:30 -0800 From: Sean Harding Reply-To: Sean Harding To: "Alexander B. Povolotsky" cc: mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs In-Reply-To: <199811061419.RAA01848@enterprise.sl.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 6 Nov 1998, Alexander B. Povolotsky wrote: > *IMMEDIATLY* shut down both server and do not bring them to Internet until > you'll found the reason. Actually, I recommend pulling it off the network, but not shutting it down. If you have had an intrusion, shutting it down will destroy much of the evidence (running processes, etc). You'll have a much harder time determining what has been done. sean -- Sean Harding sharding@oregon.uoregon.edu|"Remember how it all began http://gladstone.uoregon.edu/~sharding/ | The apple and the fall of man" Consulting: http://www.efn.org/~seanh/ | --Natalie Merchant To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message