From owner-freebsd-questions Mon Apr 20 21:06:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA17330 for freebsd-questions-outgoing; Mon, 20 Apr 1998 21:06:28 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from aggravator.net (aggravator.net [209.20.152.178]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id EAA17254 for ; Tue, 21 Apr 1998 04:06:10 GMT (envelope-from aggravator@aggravator.net) Date: Tue, 21 Apr 1998 04:06:10 GMT Message-Id: <199804210406.EAA17254@hub.freebsd.org> Received: from aggravator.net [209.20.152.178] by aggravator.net [209.20.152.178] with SMTP (MDaemon.v2.7.SP1.R) for ; Mon, 20 Apr 98 21:03:55 -0700 Received: from aggravator.net [209.20.152.178] by aggravator.net [209.20.152.178] with SMTP (MDaemon.v2.7.SP1.R) for ; Mon, 20 Apr 98 21:02:00 -0700 Received: from thetower [209.20.152.177] by aggravator.net [209.20.152.178] with SMTP (MDaemon.v2.7.SP1.R) for ; Mon, 20 Apr 98 21:00:06 -0700 X-Sender: aggravator@aggravator.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: freebsd-questions@FreeBSD.ORG From: aggravator@aggravator.net (tj) Subject: my freebsd su has been compromised, now what? X-MDaemon-Deliver-To: freebsd-questions@FreeBSD.ORG Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG OK, I admit it, I took the short and easy path, I had an irc buddy I have known (on the IRC) help me with the dns setup. Nice, and it works, but, he also made himself a backdoor to root. I found the file(or did I?!?) in his home dir w/ the help of one of my ISP providers. My ISP provider then proceeded to question me on if there were any more of these /shx files, and if "my buddy" had modifyed the login files and other stuff, and if all passwords were being routed to some machine in BFE, and just scarey scarey stuff. I guess my question is, how can I repair the damage(if indeed he has done any), or better yet, detect any damage. Or, do I have to start over, like my ISP friend recommends(he also has a preferance to lynix and redhat), and that I start over in lynix. thanx newbie learning the hard way, Tim (tj) aggravator.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message