From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:52:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3478916A4CE for ; Tue, 27 Jan 2004 12:52:40 -0800 (PST) Received: from mail.evilcoder.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB23943D3F for ; Tue, 27 Jan 2004 12:51:36 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: "Peter Rosa" , "Mark Ogden" Date: Tue, 27 Jan 2004 21:50:43 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) In-Reply-To: <20040127204624.78E9919@mail.elvandar.org> Importance: Normal X-Virus-Scanned: by amavisd-new at elvandar.org Message-Id: <20040127204958.44C6D2B4D8E@mail.evilcoder.org> cc: freebsd-security@freebsd.org Subject: RE: [Freebsd-security] Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:52:40 -0000 Yeah but if you are uncertain about your own box my VERY STRONG advise is that you reinstall. IF your host is indeed owned, then you are a lot further away then just reinstalling, god knows what issues can arrise when a cracker exploits the system to do bogus tasks.. Then i say: Too bad for your time, sorry but it's like that -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: Peter Rosa [mailto:prosa@pro.sk] Verzonden: dinsdag 27 januari 2004 21:46 Aan: Remko Lodder; Mark Ogden CC: freebsd-security@freebsd.org Onderwerp: Re: [Freebsd-security] Re: Possible compromise ? Yes, but it is the way I wouldn't like to go. Because of sooo much time :-( PR ----- Original Message ----- From: "Remko Lodder" To: "Mark Ogden" ; "Peter Rosa" Cc: Sent: Tuesday, January 27, 2004 9:42 PM Subject: RE: [Freebsd-security] Re: Possible compromise ? > that only works when you are presuming that the host was not hacked already > because i would clear those logs when i hacked a system :) > > but indeed it's a try, > > If you remain unsure, it is best to reinstall the system to be sure that a > fresh > and newly updated (yeah update it when installed :)) system is not > compromised at that > time.. > > loads of work, but it gives you some relief to know that it's clean. > > GoodLuck! > > -- > > Kind regards, > > Remko Lodder > Elvandar.org/DSINet.org > www.mostly-harmless.nl Dutch community for helping newcomers on the > hackerscene > > -----Oorspronkelijk bericht----- > Van: freebsd-security-bounces@lists.elvandar.org > [mailto:freebsd-security-bounces@lists.elvandar.org]Namens Mark Ogden > Verzonden: dinsdag 27 januari 2004 21:28 > Aan: Peter Rosa > CC: freebsd-security@freebsd.org > Onderwerp: [Freebsd-security] Re: Possible compromise ? > > > Peter Rosa on Tue, Jan 27, 2004 at 09:23:45PM +0100 wrote: > > OK, sorry for unclear previous message. > > > > In the past, one man teached me the FreeBSD basics and also installed my > > gateway. In that time, I was not able to install and setup FreeBSD by > > myself. He left there some holes - e.g. open virtual consoles, unset > > firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD > > and I tried to setup my own firewall, install and setup some programs > (with > > big help of this and Questions lists, manpages and other books). > > > > When I tried to setup more security on that system, except other things, I > > disabled all virtual tty's, because there is no need to connect to this > > machine remotelly (it's located 5 steps from my desk). In the past, that > man > > connected to my system remotely from various IPs. > > > > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can > read > > some connects from remote machines to ttyp0 and ttyp1. > > take a look at the /var/log/auth.log, it will show you everyone that > remote connected and was denied. > > -Mark > > >It's impossible for > > me to retrieve connection dates from that file. Of course, I read man > last, > > man wtmp, etc., but there is nothing about /var/log/lastlog file. > > > > May be, that lines was added in the deep past, when the machine was open. > > But may be, it was done in few previous days... > > > > I know, if my machine was compromised, it is impossible to believe in > > anything on that machine (also kernel, sources). So, are there some other > > ways to get information about connection dates? > > > > Peter Rosa > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > Freebsd-security mailing list > Freebsd-security@lists.elvandar.org > http://lists.elvandar.org/mailman/listinfo/freebsd-security >