From owner-freebsd-security Fri May 28 4:57:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id E8F5C14C81 for ; Fri, 28 May 1999 04:57:55 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id VAA00090; Fri, 28 May 1999 21:57:37 +1000 Date: Fri, 28 May 1999 21:57:36 +1000 (EST) From: Nicholas Brawn To: Dima Cc: security@FreeBSD.ORG Subject: Re: System beeing cracked! In-Reply-To: <199905280927.OAA08009@nic.mmc.net.ge> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The first thing I recommend you do is identify all setuid and setgid files on the system: # find / -perm -4000 > /tmp/suid.log # find / -perm -2000 > /tmp/sgid.log After doing that review them for any odd files. I'm guessing he exploited a priviledged program. Alternatively, review what services are running, and check you're running the latest versions of all of them. Nick On Fri, 28 May 1999, Dima wrote: > Hello, > I have 3.1 installed and friend of mine made a bet that he can hack into my system. He has ordinary account opened. So, he win! And i'am wondering if there are any security holes in 3.1? He login as himself via telnet, then he made him root (but he was not in wheel group and ofcourse did not know root password) and what is more interesting he cracked several password. He made all this in 2 houres, and password was minimal 10 symbols lenght, containg different case and digits. I am using MD5 codding, and as I knew it is impossible. Has someone any idea how it was done? Please, answer me, as my friend do not tell me anything about this as he feel like guru-hacker. > Thank you. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message