From owner-freebsd-security  Thu Apr 19  2:48:23 2001
Delivered-To: freebsd-security@freebsd.org
Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93])
	by hub.freebsd.org (Postfix) with ESMTP id D6D0C37B43C
	for <security@freebsd.org>; Thu, 19 Apr 2001 02:48:20 -0700 (PDT)
	(envelope-from rasputin@freebsd-uk.eu.org)
Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root)
	by serenity.mcc.ac.uk with esmtp (Exim 2.05 #4)
	id 14qB2y-000MIb-00
	for security@freebsd.org; Thu, 19 Apr 2001 10:48:20 +0100
Received: (from rasputin@localhost)
	by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f3J9mJr25752
	for security@freebsd.org; Thu, 19 Apr 2001 10:48:19 +0100 (BST)
	(envelope-from rasputin)
Date: Thu, 19 Apr 2001 10:48:19 +0100
From: Rasputin <rara.rasputin@virgin.net>
To: security@freebsd.org
Subject: Re: unknown process
Message-ID: <20010419104819.A25707@dogma.freebsd-uk.eu.org>
Reply-To: Rasputin <rara.rasputin@virgin.net>
References: <200104190324.VAA14081@faith.cs.utah.edu> <xzpzodd6xsh.fsf@flood.ping.uio.no> <20010419123915.A446@ringworld.oblivion.bg>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <20010419123915.A446@ringworld.oblivion.bg>; from roam@orbitel.bg on Thu, Apr 19, 2001 at 12:39:15PM +0300
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

* Peter Pentchev <roam@orbitel.bg> [010419 10:42]:
> On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote:
> > "David G. Andersen" <dga@pobox.com> writes:
> > > You've been hacked.  Do what Kris said immediately - take your
> > > system offline, and figure out how they got in.  You'll likely
> > > need to either restore from backups, a fresh install, or check
> > > your tripwire/etc logs to determine what else the intruder
> > > changed, if they installed a rootkit, etc.
> > 
> > It's not either/or.  The only acceptable solution to this situation is
> > a complete reinstall from a trusted source (e.g. original CD set).

Just a though - do the cvs servers count as 'trusted'?
How feasible would it be to cvsup and installworld?

I'd personally go for reinstalling the compiler, cvsup binary,
networking packages, etc from CD
first - that probably wouldn't be enough, though, would it?

-- 
Rasputin
Jack of All Trades :: Master of Nuns

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message