Date: Mon, 28 Jul 1997 12:38:35 -0700 (PDT) From: Vincent Poy <vince@mail.MCESTATE.COM> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@FreeBSD.ORG, "[Mario1-]" <mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net> Subject: Re: security hole in FreeBSD Message-ID: <Pine.BSF.3.95.970728123635.3844m-100000@mail.MCESTATE.COM> In-Reply-To: <Pine.BSF.3.95q.970728142652.3342F-100000@cyrus.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 28 Jul 1997, Robert Watson wrote: =)> =)I'd be tempted to look in all the normal places -- sendmail, etc. What =)> =)daemons were running on the machine? Any web server processes? Also, I'd =)> =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is =)> =)in use.. Any use of NIS going on? Also, .rhosts arrangements can be =)> =)extremely unhappy if we already know (s)he is messing with DNS entries. =)> =)> sendmail is running as well as apache httpd... ftpd, telnetd, and =)> ircd. No NIS. ALl I know was he managed to changed everyone's .rhosts =)> file when it doesn't exist originally and the contents just had: =)> + + =)> in it. =) =)This guy sounds like either he has good tools, or good experience. For =)safety's sake, I'd guess the latter. All he needed was one sniffed =)password to get on the system, and then you may be stuck with known holes =)in application software. Most of the security problems I've seen have =)started with a sniffed password, but this comes from dormitory experience =):). Yep, sniffing would work but can they actually sniff outside of the network? =)Your best hope at this point is to shut down the system, boot on a floppy =)with a CDROM mounted, and then do a strategic MD5 checksum of all binaries =)and check for changes. If you're running STABLE, your best bet may be to =)sup down differences, but to reinstall the binaries necessary to support =)the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. =)If he's made enough changes to zap syslog, netstat, login-stuff, I =)wouldn't trust any other tools on the system currently. Not even a rebuild of -current after cvs? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970728123635.3844m-100000>