Date: Tue, 21 Apr 1998 11:40:15 -0700 (PDT) From: Doug White <dwhite@gdi.uoregon.edu> To: tj <aggravator@aggravator.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: my freebsd su has been compromised, now what? Message-ID: <Pine.BSF.3.96.980421113555.4074H-100000@gdi.uoregon.edu> In-Reply-To: <199804210406.EAA17254@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 21 Apr 1998, tj wrote: > OK, I admit it, I took the short and easy path, I had an irc buddy I > have known (on the IRC) help me with the dns setup. Nice, and it works, > but, he also made himself a backdoor to root. I found the file(or did > I?!?) in his home dir w/ the help of one of my ISP providers. > My ISP provider then proceeded to question me on if there were any more > of these /shx files, and if "my buddy" had modifyed the login files and > other stuff, and if all passwords were being routed to some machine in > BFE, and just scarey scarey stuff. I guess my question is, how can I > repair the damage(if indeed he has done any), or better yet, detect any > damage. This is where the mtree command comes in real handy. When the release is built, a snapshot of the file size, location, and checksum is made for all the files in various distributions. You can run this check later to verify changed files. If any damage was done, it's probably in /usr somewhere, so run mtree -ef /etc/mtree/BSD.usr.dist and watch the output for any changed files. (Missing files in ./share/ are probably ok.) Run `man mtree' for full details. Also check your password file with vipw for any strangeness. Doug White | University of Oregon Internet: dwhite@resnet.uoregon.edu | Residence Networking Assistant http://gladstone.uoregon.edu/~dwhite | Computer Science Major To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980421113555.4074H-100000>