Date: Mon, 20 Apr 1998 21:29:09 -0700 From: Julian Elischer <julian@whistle.com> To: tj <aggravator@aggravator.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: my freebsd su has been compromised, now what? Message-ID: <353C2095.345BF651@whistle.com> References: <199804210406.EAA17254@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
tj wrote: > > > he also made himself a backdoor to > root. I found the file(or did I?!?) probably, he wasn't trying to hide it.. [...] > do I have to start over, like my ISP friend recommends did you install from CDROM? if so make a list of all the files that differ from the 2nd CD (live file system) use 'find' to check for all SUID programs and check them all chack all the file sin /etc/for changes (compare against the cd or the distribution) and check the dates. check his passwd entry and check /etc/ttys and /etc/group (among other things). it doesn't sound like he was doing much.. I might do that myself if I was setting up a machine, just in case I accidently shut myself out of root during the testing.. Just consider yourself as having learned a lesson. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?353C2095.345BF651>