From owner-freebsd-security  Mon Jun 24 03:49:18 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id DAA03610
          for security-outgoing; Mon, 24 Jun 1996 03:49:18 -0700 (PDT)
Received: from shogun.tdktca.com ([206.26.1.21])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA03605;
          Mon, 24 Jun 1996 03:49:15 -0700 (PDT)
Received: from shogun.tdktca.com (daemon@localhost) by shogun.tdktca.com (8.7.2/8.7.2) with ESMTP id FAA13845; Mon, 24 Jun 1996 05:50:35 -0500 (CDT)
Received: from orion.fa.tdktca.com ([163.49.131.130]) by shogun.tdktca.com (8.7.2/8.7.2) with SMTP id FAA13840; Mon, 24 Jun 1996 05:50:34 -0500 (CDT)
Received: from orion (alex@localhost [127.0.0.1]) by orion.fa.tdktca.com (8.6.12/8.6.9) with SMTP id FAA15083; Mon, 24 Jun 1996 05:52:57 -0500
Message-ID: <31CE7387.C50A843@fa.tdktca.com>
Date: Mon, 24 Jun 1996 05:52:55 -0500
From: Alex Nash <alex@fa.tdktca.com>
Organization: TDK Factory Automation
X-Mailer: Mozilla 2.0 (X11; I; Linux 1.2.13 i586)
MIME-Version: 1.0
To: "Jordan K. Hubbard" <jkh@time.cdrom.com>
CC: Ng Pheng Siong <ngps@technet.sg>, Terry Lambert <terry@lambert.org>,
        guido@gvr.win.tue.nl, hackers@FreeBSD.ORG, security@FreeBSD.ORG,
        ache@FreeBSD.ORG
Subject: Re: I need help on this one - please help me track this guy down! 
References: <11148.835611351@time.cdrom.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Jordan K. Hubbard wrote:
> 
> We're pretty sure we know how he got in at this point but I'm going
> to refrain from saying anything until we have had a chance to talk
> with the FreeBSD security officers about this incident.
> 
>                                         Jordan
> 
> > On Sun, 23 Jun 1996, Terry Lambert wrote:
> > > 1)  Do not believe this.  Assume he got root.
> >
> > Fundamental question: how did the intruder get in? Telnet with reuseable
> > passwords, or something else?
> >
> > Note that the intruder is probably reading these lists. ;)

Well not only do you know how he got in, but if he really is reading
these lists, we've got our man (or woman, as the case may be).  There's
only one user from pu.ru on the combined hackers/security lists. :)

Disclaimer: I'm kidding, I would not point the finger at this person
based on such circumstantial evidence.

Alex