From owner-freebsd-security  Sat Dec  2 00:38:04 1995
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id AAA05554
          for security-outgoing; Sat, 2 Dec 1995 00:38:04 -0800
Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id AAA05535
          for <security@FreeBSD.ORG>; Sat, 2 Dec 1995 00:37:51 -0800
Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id TAA21321; Sat, 2 Dec 1995 19:09:40 GMT
From: Michael Smith <msmith@atrad.adelaide.edu.au>
Message-Id: <199512021909.TAA21321@genesis.atrad.adelaide.edu.au>
Subject: Re: ****HELP*****
To: rdugaue@calweb.com (Robert Du Gaue)
Date: Sat, 2 Dec 1995 19:09:40 +0000 ()
Cc: jkh@time.cdrom.com, security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.91.951130003836.16443A-100000@web1.calweb.com> from "Robert Du Gaue" at Nov 30, 95 00:55:10 am
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 1953      
Sender: owner-security@FreeBSD.ORG
Precedence: bulk

Robert Du Gaue stands accused of saying:
> Well it's a regular user. Is this the normal method? Reassign him a new 
> login id? One thing is though is that he's a dedicated fix-ip account too 
> with a registered domain so I'm hesitate to disable his system because of 
> something someone is doing to him. I can remove his locally account, but 
> the hacker has also gone into the radius /etc/raddb/users file and 
> removed his fixed IP login also. 

Just on the networking side, check that you _don't_ have the bpf code
(options bpfilter n) in the FreeBSD kernel.  Do a virgin install to
another machine and check the permissions on everything in /dev, and
sizes, dates and _md5_checksums_ of all of your system binaries.

Jordan; how hard would it be to generate a file with the md5's of a stock
release system's "standard binaries" for this sort of thing?

> > I'm curious how he got ahold of the real password file - are you sure
> > it wasn't just the shadow passwords?
> 
> When we speficially asked the user if there was an '*' in the second 
> field he said 'no, a bunch of garbage characters'.

I would presume you've checked the permissions on /etc/master.passwd, 
/etc/pwd.db and /etc/spwd.db?

Change the admin passwords on the portmaster too (if it has that sort 
of thing).  Change your root password too. (obviously 8)

> Really???? Has Law Enforcement finally figured out this is serious shit? 
> I was under the impression that most agenices have no clue on what to do 
> and how to do anything about it.

Hell yes.  There's money in the industry now 8)

-- 
]] Mike Smith, Software Engineer        msmith@atrad.adelaide.edu.au    [[
]] Genesis Software                     genesis@atrad.adelaide.edu.au   [[
]] High-speed data acquisition and      (GSM mobile) 041-122-496        [[
]] realtime instrument control          (ph/fax)  +61-8-267-3039        [[
]] "Who does BSD?" "We do Chucky, we do."                               [[