From owner-freebsd-questions  Mon Dec 18 13: 0:10 2000
From owner-freebsd-questions@FreeBSD.ORG  Mon Dec 18 13:00:07 2000
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.mdanderson.org (mail.mdanderson.org [143.111.87.47])
	by hub.freebsd.org (Postfix) with ESMTP id 75C6637B402
	for <questions@FreeBSD.ORG>; Mon, 18 Dec 2000 13:00:02 -0800 (PST)
Received: from mail.mdanderson.org (jef-nt.mdacc.tmc.edu [143.111.64.202])
	by mail.mdanderson.org (8.9.1b+Sun/8.9.1) with ESMTP id OAA13356;
	Mon, 18 Dec 2000 14:56:38 -0600 (CST)
Message-ID: <3A3E7AC9.40306@mail.mdanderson.org>
Date: Mon, 18 Dec 2000 14:59:53 -0600
From: Jonathan Fosburgh <syjef@mail.mdanderson.org>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20001108 Netscape6/6.0
X-Accept-Language: en
MIME-Version: 1.0
To: Tim McMillen <timcm@umich.edu>
Cc: "Gerald T. Freymann" <freymann@eagle.ca>,
	Questions <questions@FreeBSD.ORG>
Subject: Re: Hacker history file - OUCH
References: <Pine.SOL.4.10.10012181521360.17224-100000@tempest.gpcc.itd.umich.edu>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG



Tim McMillen wrote:

> 
> 	Do you know for sure it was an intruder?  Or was it just one of
> your users?  either way that doesn't look good.  I'm no security expert,
> but the programs they compiled and ran could easily be backdoors to get in
> easily the next time.  It's hard (for me) to tell how bad it is without
> knowing whether they were successful in getting root priveledges.  In the
> history file we don't see the output of the command.  Nothing he did
> afterwards seems to require root priveledges, but if he had them then
> those programs could easily be backdoors. I would consider the box
> compromised.  Is it still in use?  The best way to get the most
> information about an attack is to shutdown and halt the machine ASAP.
> Then mount everything read only (perhaps on another machine.  Then look
> araound.  That way you won't overwrite possible clues.  Any disk access
> after the intruder is there can overwrite that, and that is bad for
> evidence.
> 	You may want to contact the administrators at the sites he ftp'd
> to to alert them and see if they can tell what those files were that he
> downloaded.  
> 	
> 						Tim

The results of the su ought to be in /var/log/messages.  Especially the 
one to toor.  You should either see a success or failure message.  Of 
course, he can only su to toor if the user he was in as is in group wheel.

-- 
Jonathan Fosburgh
Open Systems
Communications and Computer Services
UT MD Anderson Cancer Center
Houston, TX



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message