From owner-freebsd-security  Tue Jul 21 23:14:42 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA15515
          for freebsd-security-outgoing; Tue, 21 Jul 1998 23:14:42 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA15430
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 23:14:20 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id AAA26581;
	Wed, 22 Jul 1998 00:13:34 -0600 (MDT)
Message-Id: <199807220613.AAA26581@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Wed, 22 Jul 1998 00:13:29 -0600
To: Jim Shankland <jas@flyingfox.com>, ahd@kew.com, leec@adam.adonai.net
From: Brett Glass <brett@lariat.org>
Subject: Re: hacked and don't know why
Cc: security@FreeBSD.ORG
In-Reply-To: <199807220536.WAA11804@biggusdiskus.flyingfox.com>
References: <Pine.BSF.3.96.980721185446.5721A-100000@adam.adonai.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The symptoms aren't hard to understand. As I found out when we
were hit by the same hack, buffer overflow exploits also
hose memory.... The disk cache, kernel data, possibly even page tables
can be corrupted. Nothing's safe. If you do anything to your file
system before rebooting, you can wind up with corrupted directories
and worse. This happened to us.

--Brett

At 10:36 PM 7/21/98 -0700, Jim Shankland wrote:
 
>"Lee Crites (ASC)" <leec@adam.adonai.net> writes:
>
>> In my case, the bin directories (/bin, /sbin, /usr/bin,
>> /usr/sbin, etc) were still there, just that every program was
>> replaced with the exact same "dummy" program.  All were, as I
>> recall, around 180k (exact same size with cmp showing no
>> differences in any of them.  The funny thing is that ls did what
>> ls was supposed to do, ps did what it was supposed to do, etc,
>> even though they were the same size and cmp'd as identicle. 
>
>I *definitely* want to know how to squeeze every executable in
>/bin, /sbin, /usr/bin, and /usr/sbin into one 180KB file.  I'll
>bet Jordan would, too, if he hadn't foresworn working on sysinstall :-).
>
>The symptoms you describe (not counting the blow to the head), as
>well as Drew's, make me think "filesystem damage due to failing/flakey
>hardware" before "security compromise."  Can't say for sure,
>of course; and in both cases, the evidence is gone.  But I think
>you may be jumping to conclusions a bit to assert, "We were hacked
>like this two weeks ago."
>
>Jim Shankland
>Flying Fox Computer Systems, Inc.
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe security" in the body of the message
> 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message