Date: Wed, 29 Nov 1995 23:48:11 -0800 From: "Jordan K. Hubbard" <jkh@time.cdrom.com> To: security@freebsd.org Subject: Robert Du Gaue: ****HELP***** Message-ID: <7921.817717691@time.cdrom.com>
next in thread | raw e-mail | index | archive | help
Argh. Anyone here care to do a little sleuthing for this FreeBSD-using service provider? Jordan ------- Forwarded Message Return-Path: rdugaue@web3.calweb.com Received: from calweb.calweb.com (calweb.calweb.com [165.90.138.3]) by time.cdrom.com (8.6.12/8.6.9) with ESMTP id VAA05579 for <jkh@time.cdrom.com>; Wed, 29 Nov 1995 21:18:24 -0800 Received: from web3.calweb.com by calweb.calweb.com via ESMTP (8.6.12/940406.SGI.AUTO) for <jkh@calweb.com> id FAA20984; Thu, 30 Nov 1995 05:21:28 GMT Received: (from rdugaue@localhost) by web3.calweb.com (8.7/8.6.9) id VAA07285; Wed, 29 Nov 1995 21:21:29 -0800 (PST) Date: Wed, 29 Nov 1995 21:21:28 -0800 (PST) From: Robert Du Gaue <rdugaue@calweb.com> To: "Jordan K. Hubbard" <jkh@calweb.com> Subject: ****HELP***** Message-ID: <Pine.BSF.3.91.951129211638.7134A-100000@web3.calweb.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Well, we've got a major problem I'm hoping you can solve. Yesterday a user (know pirate) pissed off another hacker and somehow he got into the system and deleted the users directory, took our pw file (cated out in an IRC channel with the encrypted pws). We immediately check our systems, found sendmail to be 8.9, upgraded all these sendmails to 8.7, blocked 2 class addresses that he may have came from, removed root from ftp on one of the machines, and deleted all the lp stuff (since we have no printers). Checked for suid programs. Well, we restored the directory, and it got deleted again tonight. We have no idea how he is doing this. He's changed a the /etc/raddb/users file (removed the user from the file) also. In a word, I'm stuck, we're unsure of how he's doing it and I'm very scared right now that he'll do something major to the system. ------- End of Forwarded Message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7921.817717691>