From owner-freebsd-security Fri May 28 18:16: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from acetylene.vapornet.net (acetylene.vapornet.net [209.100.218.11]) by hub.freebsd.org (Postfix) with ESMTP id A103214DD5 for ; Fri, 28 May 1999 18:16:01 -0700 (PDT) (envelope-from john@vapornet.net) Received: from datapit.home.vapornet.net (vapornet.xnet.com [205.243.141.107]) by acetylene.vapornet.net (8.9.3/8.9.3/VaporServer 2.01) with ESMTP id UAA07249; Fri, 28 May 1999 20:13:23 -0500 (CDT) (envelope from: john@vapornet.net) Received: from habanero.chili-pepper.net (habanero.chili-pepper.net [192.168.0.11]) by datapit.home.vapornet.net (8.9.3/8.9.3/VaporServer 1.4) with ESMTP id UAA30705; Fri, 28 May 1999 20:13:07 -0500 (CDT) (envelope from: john@vapornet.net) Received: (from john@localhost) by habanero.chili-pepper.net (8.9.3/8.9.3/VaporClient v3.1) id UAA29676; Fri, 28 May 1999 20:12:53 -0500 (CDT) (envelope from: john@vapornet.net) From: John Preisler MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Fri, 28 May 1999 20:12:53 -0500 (CDT) To: Michael Richards <026809r@dragon.acadiau.ca> Cc: Dima , security@FreeBSD.ORG Subject: Re: System beeing cracked! In-Reply-To: References: <199905280927.OAA08009@nic.mmc.net.ge> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14159.15859.140011.281075@habanero.chili-pepper.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You never mentioned which 3rd party applications [ports,packages, et cetera] you installed on this machine. its quite possible one of those were compromised [see also qpopper, imapd, and wu-ftpd] $0.02 worth. -j Michael Richards writes: > On Fri, 28 May 1999, Dima wrote: > > > can hack into my system. He has ordinary account opened. So, he win! And > > i'am wondering if there are any security holes in 3.1? He login as > > himself via telnet, then he made him root (but he was not in wheel group > > and ofcourse did not know root password) and what is more interesting he > Finding an exploitable suid program would allow this to happen. > > > cracked several password. He made all this in 2 houres, and password was > > minimal 10 symbols lenght, containg different case and digits. I am > > using MD5 codding, and as I knew it is impossible. Has someone any idea > I would do 2 things: > a) take your master.passwd file and run crack on it yourself and see if it > finds the passwords itself. I played with crack once a long time ago and > based on what you've said about the cracked password, I belive it is more > likely that he > a) broke root > b) sniffed the passwords > > or maybe he shoulder surfed the passwords... I don't believe that md5 can > be cracked that quickly. I guess it depends on the randomness of the > password. "thisissEcur3" might take a week, but crack will still get it. > I think one of the first rules is to replace [il]=1 e=3 s=5 a=4 and all > the other commonly substituted letters. > > -Michael > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message