From owner-freebsd-security  Fri Jun 20 11:21:29 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id LAA16348
          for security-outgoing; Fri, 20 Jun 1997 11:21:29 -0700 (PDT)
Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA16343
          for <freebsd-security@FreeBSD.ORG>; Fri, 20 Jun 1997 11:21:26 -0700 (PDT)
Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id LAA25520; Fri, 20 Jun 1997 11:20:49 -0700 (PDT)
To: Sean Kelly <kelly@fsl.noaa.gov>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: Attempt to compromise root 
In-reply-to: Your message of "Fri, 20 Jun 1997 10:33:14 MDT."
             <33AAB0CA.2781E494@fsl.noaa.gov> 
Date: Fri, 20 Jun 1997 11:20:48 -0700
Message-ID: <25515.866830848@time.cdrom.com>
From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> I've tried ftp'ing to the.art.of.sekurity.org and have been successful
> only once, but haven't been able to transfer any files.  sekurity.org
> appears registered to a organization called "Insekurity, Inc.".

I've got the contents of the site mirrored now and I'll have a look
through some of it as I have time.  It's possible that there are
some genuine compromises here, but it's hard to say.

> (1) Does this type of attack seem familiar?  Is anyone aware of

Yes, but then a good 90% of the attacks I've seen are using somebody's
"rootkit" (e.g. the attackers rarely understand the mechanics of what
they're doing - it's all done by rote) and so in saying that it's
familiar, all I'm saying is that it's distressingly typical. :(

> "sekurity.org" and what their purpose is?  Is there someone there to
> whom I should complain?  (Doubtful, as it appears the reason that ftp
> site exists is to provide a repository of cracking code.)

There are dozens of such sites around - I doubt you'd get much more than
laughed at if you tried to make an issue of it.

> (2) Can we get an option during the FreeBSD install to generate the
> md5/mtree digest?  Naturally, I read up on this feature after the

You mean of the exact tree you've installed?  Hmmmm.  There are
the foo.mtree files in each distribution, but is there some reason
why that wouldn't be enough?  The bin.mtree file in particular
pretty much covers any of the binaries you'd probably be interested
in...

					Jordan