From owner-freebsd-questions  Tue Jun 22 23:59:10 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from cygnus.rush.net (cygnus.rush.net [209.45.245.133])
	by hub.freebsd.org (Postfix) with ESMTP id 3CB2C14C94
	for <questions@FreeBSD.ORG>; Tue, 22 Jun 1999 23:59:07 -0700 (PDT)
	(envelope-from bright@rush.net)
Received: from localhost (bright@localhost)
	by cygnus.rush.net (8.9.3/8.9.3) with SMTP id DAA05260;
	Wed, 23 Jun 1999 03:01:01 -0400 (EDT)
Date: Wed, 23 Jun 1999 02:00:59 -0500 (EST)
From: Alfred Perlstein <bright@rush.net>
To: Jerry Raynor <jerryr@ComCAT.COM>
Cc: questions@FreeBSD.ORG
Subject: Re: HELP HACKER!!!
In-Reply-To: <Pine.GSO.4.02A.9906222003440.7244-100000@uw>
Message-ID: <Pine.BSF.3.96.990623015757.14320w-100000@cygnus.rush.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 22 Jun 1999, Jerry Raynor wrote:

> I caught someone who had just got in and setup a user account!!  hwo di I
> find out how they got it????  This is my first encounter with this, what
> steps should I take??  Thanks!!  I'm useing FreeBSD-2.2.5-R  I've changed
> my password and root's password already

most likely you've been hit with the BSD procfs hole, my suggestion?
upgrade to 2.2.8 and in the future try to keep ahead of such holes,
by staying somewhat current and keeping in touch with the freebsd
mailing lists and CERT advisories.

http://www.freebsd.org/handbook/stable.html
http://www.freebsd.org/security/security.html

-Alfred



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message