From owner-freebsd-security  Tue Jul 21 22:35:17 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA08521
          for freebsd-security-outgoing; Tue, 21 Jul 1998 22:35:17 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from biggusdiskus.flyingfox.com (biggusdiskus.flyingfox.com [205.162.1.28])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA08513
          for <security@freebsd.org>; Tue, 21 Jul 1998 22:35:09 -0700 (PDT)
          (envelope-from jas@flyingfox.com)
Received: (from jas@localhost)
	by biggusdiskus.flyingfox.com (8.8.8/8.8.5) id WAA11804;
	Tue, 21 Jul 1998 22:36:50 -0700 (PDT)
Date: Tue, 21 Jul 1998 22:36:50 -0700 (PDT)
From: Jim Shankland <jas@flyingfox.com>
Message-Id: <199807220536.WAA11804@biggusdiskus.flyingfox.com>
To: ahd@kew.com, leec@adam.adonai.net
Subject: Re: hacked and don't know why
Cc: security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.980721185446.5721A-100000@adam.adonai.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

"Lee Crites (ASC)" <leec@adam.adonai.net> writes:

> In my case, the bin directories (/bin, /sbin, /usr/bin,
> /usr/sbin, etc) were still there, just that every program was
> replaced with the exact same "dummy" program.  All were, as I
> recall, around 180k (exact same size with cmp showing no
> differences in any of them.  The funny thing is that ls did what
> ls was supposed to do, ps did what it was supposed to do, etc,
> even though they were the same size and cmp'd as identicle. 

I *definitely* want to know how to squeeze every executable in
/bin, /sbin, /usr/bin, and /usr/sbin into one 180KB file.  I'll
bet Jordan would, too, if he hadn't foresworn working on sysinstall :-).

The symptoms you describe (not counting the blow to the head), as
well as Drew's, make me think "filesystem damage due to failing/flakey
hardware" before "security compromise."  Can't say for sure,
of course; and in both cases, the evidence is gone.  But I think
you may be jumping to conclusions a bit to assert, "We were hacked
like this two weeks ago."

Jim Shankland
Flying Fox Computer Systems, Inc.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message