From owner-freebsd-security  Sun Jun 23 23:29:43 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA27632
          for security-outgoing; Sun, 23 Jun 1996 23:29:43 -0700 (PDT)
Received: from time.cdrom.com (time.cdrom.com [204.216.27.226])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA27622;
          Sun, 23 Jun 1996 23:29:38 -0700 (PDT)
Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id XAA10328; Sun, 23 Jun 1996 23:29:31 -0700 (PDT)
To: guido@gvr.win.tue.nl (Guido van Rooij)
cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org
Subject: Re: I need help on this one - please help me track this guy down! 
In-reply-to: Your message of "Mon, 24 Jun 1996 08:25:32 +0200."
             <199606240625.IAA11793@gvr.win.tue.nl> 
Date: Sun, 23 Jun 1996 23:29:30 -0700
Message-ID: <10326.835597770@time.cdrom.com>
From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> Do you have anti-spoof filter rules in your backbone router? If not
> install them. If so, please add packets coming in from localhost

How do you install such things on a cisco 2500? :-) Seriously, if
there's a way then I can get someone from cisco to help me out, but I
first need to know that it's even a reasonable request.

> to them. I don't know why he got in, but you can suspect rlogin plus
> a localhost entry in host.equiv combined with source routed packets.

Hmmm.  We have reason to believe that he *didn't* get root (though
we're still assuming he did, just to be paranoid) and if the mod times
can be trusted, hosts.equiv hasn't been touched in many months (and
localhost is commented out).

					Jordan