From owner-freebsd-security Mon Mar 5 18:38: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0B18937B719 for ; Mon, 5 Mar 2001 18:38:00 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA13318; Mon, 5 Mar 2001 18:36:22 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda13316; Mon Mar 5 18:36:09 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f262a3n68963; Mon, 5 Mar 2001 18:36:03 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdq68961; Mon Mar 5 18:35:56 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f262Zs094331; Mon, 5 Mar 2001 18:35:54 -0800 (PST) Message-Id: <200103060235.f262Zs094331@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdg91885; Mon Mar 5 18:34:54 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Alfred Perlstein Cc: Evren Yurtesen , Dag-Erling Smorgrav , dce , security@FreeBSD.ORG Subject: Re: 31337 In-reply-to: Your message of "Mon, 05 Mar 2001 12:09:19 PST." <20010305120919.X8663@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 05 Mar 2001 18:34:52 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010305120919.X8663@fw.wintelcom.net>, Alfred Perlstein writes: > * Evren Yurtesen [010305 11:30] wrote: > > cant it be a person who has a shell and execute some daemons etc ? like > > ircd? > > > > why does he need to reinstall his system? > > Oh, and as far as why a complete reinstall is a good idea, iss because > you have _no idea_ as to how far the person has gone to install back > doors in the system, only a complete reinstall has a good chance of > fixing them all. ... then install tripwire. This will help identify changed files. Not a perfect solution, as tripwire can be circumvented, but it is more difficult. Then keep a copy of your database offline and/or sign your database. Alternatively run at securelevel > 0. Once again not a perfect solution. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC > > > > > > > > Evren > > > > > dce writes: > > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machin > e > > > > > > > > 31337/tcp open Elite > > > > 6667/tcp open irc > > > > > > You're owned. Take your box off the net, take a backup, reinstall from > > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > > (*no* executables, scripts or configuration files!) from backup. And > > > get some security clue; the security(7) man page is a good place to > > > start, though far from complete. > > > > > > DES > > > -- > > > Dag-Erling Smorgrav - des@ofug.org > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message