From owner-freebsd-security  Tue Jul  2 22:13:36 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id WAA00749
          for security-outgoing; Tue, 2 Jul 1996 22:13:36 -0700 (PDT)
Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA00741
          for <security@FreeBSD.org>; Tue, 2 Jul 1996 22:13:33 -0700 (PDT)
Received: by haven.uniserve.com id <32076-23942>; Tue, 2 Jul 1996 22:17:09 -0800
Date: 	Tue, 2 Jul 1996 22:17:01 -0700 (PDT)
From: Tom Samplonius <tom@uniserve.com>
To: "Pedro F. Giffuni S." <pgiffuni@biblioteca.campus.unal.edu.co>
cc: security@FreeBSD.org
Subject: Re: Sendmail cracked!
In-Reply-To: <Pine.A32.3.91.960702212427.13507A-100000@biblioteca.campus.unal.edu.co>
Message-ID: <Pine.BSF.3.91.960702221514.24934B-100000@haven.uniserve.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk


On Tue, 2 Jul 1996, Pedro F. Giffuni S. wrote:

> Hello:
> I am running kerberos and DES, but to my surprise my 2 FreeBSD's and my 
> AIX's received me with a funny message: /etc/motd was modified and wtmp 
> erased.
> I knew I was under attack before because of some failed logins, on my fbsds, 
> and strange "cannot execute" messages un my AIXs root mail. By the message I 
> received, I know other computers in the campus are cracked also.
> 
> My solution was securing sendmail by running it in the inetd.conf with 
> tcp_wrappers. It is a last moment solution...Is there a new sendmail, a 
> patch, or a configuration option?
> 
> regards,
> Pedro.
> 

  How do you know it was Sendmail?

Tom