From owner-freebsd-security  Fri Nov  6 10:59:06 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA13010
          for freebsd-security-outgoing; Fri, 6 Nov 1998 10:59:06 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA13005
          for <freebsd-security@FreeBSD.ORG>; Fri, 6 Nov 1998 10:59:04 -0800 (PST)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.6) id LAA11661;
	Fri, 6 Nov 1998 11:57:23 -0700 (MST)
Message-Id: <4.1.19981106115353.04ca84a0@127.0.0.1>
X-Sender: brett@127.0.0.1
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Fri, 06 Nov 1998 11:55:19 -0700
To: Sean Harding <sharding@oregon.uoregon.edu>,
        "Alexander B. Povolotsky" <tarkhil@synchroline.ru>
From: Brett Glass <brett@lariat.org>
Subject: Re: *huge* setuid diffs
Cc: mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.SGI.4.02.9811060908460.14551-100000@gutenberg.uoregon
 .edu>
References: <199811061419.RAA01848@enterprise.sl.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

That's good advice, especially if the intruder has killed syslogd.

--Brett

At 09:10 AM 11/6/98 -0800, Sean Harding wrote:
 
>On Fri, 6 Nov 1998, Alexander B. Povolotsky wrote:
>
>> *IMMEDIATLY* shut down both server and do not bring them to Internet until 
>> you'll found the reason.
>
>Actually, I recommend pulling it off the network, but not shutting it
>down. If you have had an intrusion, shutting it down will destroy much of
>the evidence (running processes, etc). You'll have a much harder time
>determining what has been done.
>
>sean
>
>-- 
>Sean Harding sharding@oregon.uoregon.edu|"Remember how it all began
>http://gladstone.uoregon.edu/~sharding/ | The apple and the fall of man"
>Consulting: http://www.efn.org/~seanh/  | --Natalie Merchant
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message