Date: Wed, 26 Aug 1998 23:26:11 -0700 From: "Jordan K. Hubbard" <jkh@time.cdrom.com> To: Wilson MacGyver <macgyver@cylatech.com> Cc: security@FreeBSD.ORG Subject: Re: post breakin log Message-ID: <1143.904199171@time.cdrom.com> In-Reply-To: Your message of "Thu, 27 Aug 1998 01:38:37 EDT." <199808270538.BAA01341@armitage.cylatech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> My FreeBSD box get hacked about two days ago... yes yes, via the popper. > I reinstalled the system, but saved the log. I was looking through to > see what he has done. There is some stuff you may find interesting... Not really... > From the log, it seem he is very knowledgeable about FreeBSD. Not really... :) > though I must admit, I don't get why he makes the /dev/sync. > also, I don't know what the deal with the bnc* stuff Just some rootkit. If anything, this guy looks more like a Linux kiddie than anything else - he gets his rootkits off Linux sites and seems to do most of his surfing (judging by the logs) accordingly. Also, the general use of irc & BitchX client is telling - this is clearly somebody who'd have been installing eggdrop 'bots next if he knew how to work that part out. :) > He installed a backdoor on my system, and then attack a bunch > of systems while he was on. He even has a freebsd root kit. :) Every 14 year old kid too young to drive or grow pubic hair has a FreeBSD rootkit. That's nothing particularly special or noteworthy these days, I hate to say. :) > any suggestion to prevent futher break in is apprecaited. > other than "not to run popper" anymore. (grin) Watch bugtrax, www.rootshell.org, CERT, etc. Actively admin your system on a daily basis. Those of us who do so were never hacked via popper or generally fall prey to the usual hack of the month (my popper was turned off no more than 2 hours after the first reports started, erm, "popping" up on the net). - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1143.904199171>