From owner-freebsd-security Fri May 28 23:10:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from vital.bleeding.com (vital.bleeding.com [206.251.12.170]) by hub.freebsd.org (Postfix) with ESMTP id AEC8515139 for ; Fri, 28 May 1999 23:10:09 -0700 (PDT) (envelope-from jjwolf@bleeding.com) Received: from crimson (crimson [144.254.195.6]) by vital.bleeding.com (8.9.2/8.9.2) with SMTP id XAA02684 for ; Fri, 28 May 1999 23:10:09 -0700 (PDT) (envelope-from jjwolf@bleeding.com) Message-ID: <006201bea999$ee5e4b00$06c3fe90@cisco.com> From: "Justin Wolf" To: References: <374f731c.607312609@mail.sentex.net> Subject: Re: System beeing cracked! Date: Fri, 28 May 1999 23:10:14 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Did your friend have access to a machine on the same ethernet ? He could > have sniffed your password and the root's password, and then logged in as > you, and then su'd to root. To add my own meger two cents: My machine (running 2.2.8-R) was recently hacked because someone got their password sniffed (on another network). The attacker then used this account to gain root. Fortunately they didn't do any damage except change the root password (and perhaps trojan the kernel). When I reinstalled with 3.1-R, I turned off ftpd and telnetd in inetd.conf. The only way to get to the machine now is via ssh/scp (since there are ssh clients for all major OSes these days, it's not too much of a hardship... Windows even has a (ssh2) version of scp now). This makes it more or less impossible for someone on the same net to sniff passwords. I never EVER su to root unless I'm on a 100% secure (ssh) session. Obviously there are still holes that people can exploit, but my feeling was that this is probably the easiest way to gain root privledges, so this is the hole I plugged. The basic security rule is: Never run any services unless you have to. Don't have bpf compiled into the kernel. Get strobe and run it on localhost - see what's open. You might not even expect the results (such as X forwarding and RPC). And lastly, always keep up on CERT and BugTraq, and run the latest version of all software (ssh, popper, sendmail, etc.) and patches. Good luck, -Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message