From owner-freebsd-security  Wed Jul 22 04:36:37 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA13312
          for freebsd-security-outgoing; Wed, 22 Jul 1998 04:36:37 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA13297
          for <security@FreeBSD.ORG>; Wed, 22 Jul 1998 04:36:25 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.7/8.8.7) with SMTP id XAA06023;
	Wed, 22 Jul 1998 23:34:48 +1200 (NZST)
	(envelope-from andrew@squiz.co.nz)
Date: Wed, 22 Jul 1998 23:34:47 +1200 (NZST)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: Brett Glass <brett@lariat.org>
cc: Jim Shankland <jas@flyingfox.com>, ahd@kew.com, leec@adam.adonai.net,
        security@FreeBSD.ORG
Subject: Re: hacked and don't know why
In-Reply-To: <199807220613.AAA26581@lariat.lariat.org>
Message-ID: <Pine.BSF.3.96.980722233259.5504B-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 22 Jul 1998, Brett Glass wrote:

> Date: Wed, 22 Jul 1998 00:13:29 -0600
> From: Brett Glass <brett@lariat.org>
> To: Jim Shankland <jas@flyingfox.com>, ahd@kew.com, leec@adam.adonai.net
> Cc: security@FreeBSD.ORG
> Subject: Re: hacked and don't know why
> 
> The symptoms aren't hard to understand. As I found out when we
> were hit by the same hack, buffer overflow exploits also
> hose memory.... The disk cache, kernel data, possibly even page tables
> can be corrupted. Nothing's safe. If you do anything to your file
> system before rebooting, you can wind up with corrupted directories
> and worse. This happened to us.
> 
> --Brett

If  it's any consolation, this probably means that the hackers overwrote
the wrong bit, and failed to effect anything more than a DOS.

It should probably be treated as a warning that if you fix things up
without finding the problem they might be more successful on the next
attempt.

Andrew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message