From owner-freebsd-security  Thu May 31 18:39: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from yez.hyperreal.org (gate.sp.collab.net [64.211.228.36])
	by hub.freebsd.org (Postfix) with SMTP id 8ED7737B424
	for <freebsd-security@freebsd.org>; Thu, 31 May 2001 18:38:56 -0700 (PDT)
	(envelope-from brian@collab.net)
Received: (qmail 57920 invoked by uid 1000); 1 Jun 2001 01:39:51 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 1 Jun 2001 01:39:51 -0000
Date: Thu, 31 May 2001 18:39:51 -0700 (PDT)
From: Brian Behlendorf <brian@collab.net>
X-X-Sender:  <brian@localhost>
To: "Karsten W. Rohrbach" <karsten@rohrbach.de>
Cc: <freebsd-security@freebsd.org>
Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd)
In-Reply-To: <20010601012752.C85717@mail.webmonster.de>
Message-ID: <Pine.BSF.4.31.0105311838200.52261-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, 1 Jun 2001, Karsten W. Rohrbach wrote:
> this was one "result" of the comromised ssh binary at sourceforge.
> i don't want to think about it aloud in public what's next :-(
>
> last | grep sourceforge
> for (every account affected)
>     pw usermod "account" -h -

The shell machine at SF didn't have reverse DNS (or at least it wasn't
recorded in the wtmp), so you might want to look for 216.136.171.252 (the
machine our friend came in from) or maybe even 216.136/24.

	Brian




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message