From owner-freebsd-questions  Thu Dec 26 06:05:20 1996
Return-Path: <owner-questions>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id GAA21035
          for questions-outgoing; Thu, 26 Dec 1996 06:05:20 -0800 (PST)
Received: from ns1.internet1.net (ns1.internet1.net [206.250.31.6])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id GAA21024
          for <questions@freebsd.org>; Thu, 26 Dec 1996 06:05:16 -0800 (PST)
Received: from station2.internet1.net (station2.internet1.net [206.250.31.22]) by ns1.internet1.net (8.7.5/8.7.3) with SMTP id JAA26899 for <questions@freebsd.org>; Thu, 26 Dec 1996 09:01:16 -0500 (EST)
Message-ID: <32C285AB.132F@internet1.net>
Date: Thu, 26 Dec 1996 09:03:23 -0500
From: Matthew Hagerty <matthew@internet1.net>
Reply-To: matthew@internet1.net
Organization: internet1
X-Mailer: Mozilla 3.0 (Win95; I)
MIME-Version: 1.0
To: questions@freebsd.org
Subject: Init missing
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Greetings,

   It seems one of my FreeBSD boxes was hacked :(  When I came in this
morning, the screen on my 2.1.6 box was scrolling messages similar to
this:

Dec 25 02:08:50 ns1 statd[150]: attempt to create
"/var/statmon/sm//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../..//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/.nfs09  
D   H   $   $   $   $                     `  O * õ *   *   *   #   #
ü     P*`  c   6                     ý        )            ý       # 
#    ;                       #         XbinXsh
tirdwr                      "

   Does anyone know what kind of attack this is and what I should be
looking for and how to prevent it in the future?  Also, when I try to
boot my FreeBSD box, I get an error:

init not found.
panic.
reboot in progress...

   Is there any way I can start the system or mount the file systems to
see what was damaged and/or recover any files?

Thank you for your time,
Matthew Hagerty
matthew@internet1.net