From owner-freebsd-security  Thu Aug 27 01:39:31 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA05283
          for freebsd-security-outgoing; Thu, 27 Aug 1998 01:39:31 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA05274
          for <security@FreeBSD.ORG>; Thu, 27 Aug 1998 01:39:29 -0700 (PDT)
          (envelope-from regnauld@deepo.prosa.dk)
Received: from mail.prosa.dk ([192.168.100.254])
	by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id KAA15674;
	Thu, 27 Aug 1998 10:44:25 +0200 (CEST)
	(envelope-from regnauld@deepo.prosa.dk)
Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10])
	by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id KAA15633;
	Thu, 27 Aug 1998 10:48:43 +0200 (CEST)
Received: (from regnauld@localhost)
	by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id KAA14417;
	Thu, 27 Aug 1998 10:38:15 +0200 (CEST)
Message-ID: <19980827103815.51594@deepo.prosa.dk>
Date: Thu, 27 Aug 1998 10:38:15 +0200
From: Philippe Regnauld <regnauld@deepo.prosa.dk>
To: Wilson MacGyver <macgyver@cylatech.com>, security@FreeBSD.ORG
Subject: Re: post breakin log
References: <199808270538.BAA01341@armitage.cylatech.com> <1143.904199171@time.cdrom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.88e
In-Reply-To: <1143.904199171@time.cdrom.com>; from Jordan K. Hubbard on Wed, Aug 26, 1998 at 11:26:11PM -0700
X-Operating-System: FreeBSD 2.2.6-RELEASE i386
Phone: +45 3336 4148
Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark
Organization: PROSA
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Jordan K. Hubbard writes:
> 
> Every 14 year old kid too young to drive or grow pubic hair has a
> FreeBSD rootkit.  That's nothing particularly special or noteworthy
> these days, I hate to say. :)

	Right.  I hate to repeat it, but 99% of attacks today are scr1pt k1ddies.
	The rest you don't find.

	I mean, when someone successfully breaks into a machine
	(i.e.: Linux), successfully installs RootKit3 (the one
	that includes "shadowing" configuration files to
	hide entries in ls,ps, etc...) and then goes to
	run an IRC robot + sniffer really has no clue.

	The problem is these kinds of attacks:

	- make a lot of noise
	- increase the alertness/work ratio of new sysadmins
	- make it more difficult to trace more subtle attacks

	For a good starting point:

	http://www.ugu.com/sui/ugu/show?I=admin.security&F=1111111111&G=Y

-- 
 -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-

               The Internet is busy.  Please try again later.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message