From owner-freebsd-security  Mon Jul 28 12:38:57 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id MAA27066
          for security-outgoing; Mon, 28 Jul 1997 12:38:57 -0700 (PDT)
Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA27061
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 12:38:55 -0700 (PDT)
Received: from localhost (vince@localhost)
	by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id MAA05662;
	Mon, 28 Jul 1997 12:38:36 -0700 (PDT)
Date: Mon, 28 Jul 1997 12:38:35 -0700 (PDT)
From: Vincent Poy <vince@mail.MCESTATE.COM>
To: Robert Watson <robert+freebsd@cyrus.watson.org>
cc: Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@FreeBSD.ORG,
        "[Mario1-]" <mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net>
Subject: Re: security hole in FreeBSD
In-Reply-To: <Pine.BSF.3.95q.970728142652.3342F-100000@cyrus.watson.org>
Message-ID: <Pine.BSF.3.95.970728123635.3844m-100000@mail.MCESTATE.COM>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, Robert Watson wrote:

=)> =)I'd be tempted to look in all the normal places -- sendmail, etc.  What
=)> =)daemons were running on the machine?  Any web server processes?  Also, I'd
=)> =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is
=)> =)in use..  Any use of NIS going on?  Also, .rhosts arrangements can be
=)> =)extremely unhappy if we already know (s)he is messing with DNS entries.
=)> 
=)> 	sendmail is running as well as apache httpd...  ftpd, telnetd, and
=)> ircd.  No NIS.   ALl I know was he managed to changed everyone's .rhosts
=)> file when it doesn't exist originally and the contents just had:
=)> + +
=)> in it.
=)
=)This guy sounds like either he has good tools, or good experience.  For
=)safety's sake, I'd guess the latter.  All he needed was one sniffed
=)password to get on the system, and then you may be stuck with known holes
=)in application software.  Most of the security problems I've seen have
=)started with a sniffed password, but this comes from dormitory experience
=):).  

	Yep, sniffing would work but can they actually sniff outside of
the network?

=)Your best hope at this point is to shut down the system, boot on a floppy
=)with a CDROM mounted, and then do a strategic MD5 checksum of all binaries
=)and check for changes.  If you're running STABLE, your best bet may be to
=)sup down differences, but to reinstall the binaries necessary to support
=)the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc.
=)If he's made enough changes to zap syslog, netstat, login-stuff, I
=)wouldn't trust any other tools on the system currently.

	Not even a rebuild of -current after cvs?


Cheers,
Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]