From owner-freebsd-isp  Wed Feb  5 07:28:07 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id HAA12036
          for isp-outgoing; Wed, 5 Feb 1997 07:28:07 -0800 (PST)
Received: from irvine.americasnet.com (ricardo@irvine.americasnet.com [208.145.128.2])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA11946
          for <freebsd-isp@freebsd.org>; Wed, 5 Feb 1997 07:28:03 -0800 (PST)
Received: from localhost (ricardo@localhost) by irvine.americasnet.com (8.8.5/8.7.3) with SMTP id HAA01161 for <freebsd-isp@freebsd.org>; Wed, 5 Feb 1997 07:29:21 -0800
Date: Wed, 5 Feb 1997 07:29:21 -0800 (PST)
From: Ricardo Kleemann <ricardo@americasnet.com>
To: FreeBSD ISP list <freebsd-isp@freebsd.org>
Subject: hacking - help
Message-ID: <Pine.LNX.3.95.970205072232.1101A-100000@irvine.americasnet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Hi,

Today I noticed someone was logged into my freebsd machine, as user ftp.
I immediately killed the shell and saw that soon he was back in.

I then just made sure ftp had no shell, in hopes he wont be able to get
in.

But, the real question is, what hole must I plug to prevent this? Is there
a known hole where someone can log in as ftp and gain root access?

Thank God, it seems no damage was done (I hope! I haven't noticed anything
other than wtmp was erased).

Also, does freebsd support host.allow and host.deny? I didn't see those
files in /etc and there was no man page

Thanks for any help!
Ricardo