From owner-freebsd-questions  Tue Apr 21 11:41:01 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA11828
          for freebsd-questions-outgoing; Tue, 21 Apr 1998 11:41:01 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from gdi.uoregon.edu (gdi.uoregon.edu [128.223.170.30])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA11763
          for <freebsd-questions@FreeBSD.ORG>; Tue, 21 Apr 1998 18:40:29 GMT
          (envelope-from dwhite@gdi.uoregon.edu)
Received: from localhost (dwhite@localhost)
          by gdi.uoregon.edu (8.8.7/8.8.8) with SMTP id LAA04142;
          Tue, 21 Apr 1998 11:40:15 -0700 (PDT)
          (envelope-from dwhite@gdi.uoregon.edu)
Date: Tue, 21 Apr 1998 11:40:15 -0700 (PDT)
From: Doug White <dwhite@gdi.uoregon.edu>
Reply-To: Doug White <dwhite@resnet.uoregon.edu>
To: tj <aggravator@aggravator.net>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: my freebsd su has been compromised, now what?
In-Reply-To: <199804210406.EAA17254@hub.freebsd.org>
Message-ID: <Pine.BSF.3.96.980421113555.4074H-100000@gdi.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 21 Apr 1998, tj wrote:

> OK, I admit it, I took the short and easy path, I had an irc buddy I
> have known (on the IRC) help me with the dns setup. Nice, and it works,
> but, he also made himself a backdoor to root. I found the file(or did
> I?!?) in his home dir w/ the help of one of my ISP providers.
>  My ISP provider then proceeded to question me on if there were any more
> of these /shx files, and if "my buddy" had modifyed the login files and
> other stuff, and if all passwords were being routed to some machine in
> BFE, and just scarey scarey stuff. I guess my question is, how can I
> repair the damage(if indeed he has done any), or better yet, detect any
> damage. 

This is where the mtree command comes in real handy.  When the release is
built, a snapshot of the file size, location, and checksum is made for all
the files in various distributions.  You can run this check later to
verify changed files.

If any damage was done, it's probably in /usr somewhere, so run

mtree -ef /etc/mtree/BSD.usr.dist

and watch the output for any changed files.  (Missing files in ./share/
are probably ok.)  

Run `man mtree' for full details. 

Also check your password file with vipw for any strangeness.

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message