From owner-freebsd-security  Wed Aug 26 23:27:13 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA18140
          for freebsd-security-outgoing; Wed, 26 Aug 1998 23:27:13 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from time.cdrom.com (time.cdrom.com [204.216.27.226])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA18127
          for <security@FreeBSD.ORG>; Wed, 26 Aug 1998 23:27:11 -0700 (PDT)
          (envelope-from jkh@time.cdrom.com)
Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1])
	by time.cdrom.com (8.8.8/8.8.8) with ESMTP id XAA01147;
	Wed, 26 Aug 1998 23:26:11 -0700 (PDT)
	(envelope-from jkh@time.cdrom.com)
To: Wilson MacGyver <macgyver@cylatech.com>
cc: security@FreeBSD.ORG
Subject: Re: post breakin log 
In-reply-to: Your message of "Thu, 27 Aug 1998 01:38:37 EDT."
             <199808270538.BAA01341@armitage.cylatech.com> 
Date: Wed, 26 Aug 1998 23:26:11 -0700
Message-ID: <1143.904199171@time.cdrom.com>
From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> My FreeBSD box get hacked about two days ago... yes yes, via the popper.
> I reinstalled the system, but saved the log. I was looking through to
> see what he has done. There is some stuff you may find interesting...

Not really...

> From the log, it seem he is very knowledgeable about FreeBSD.

Not really... :)

> though I must admit, I don't get why he makes the /dev/sync.
> also, I don't know what the deal with the bnc* stuff

Just some rootkit.  If anything, this guy looks more like a Linux
kiddie than anything else - he gets his rootkits off Linux sites and
seems to do most of his surfing (judging by the logs) accordingly.
Also, the general use of irc & BitchX client is telling - this is
clearly somebody who'd have been installing eggdrop 'bots next if he
knew how to work that part out. :)

> He installed a backdoor on my system, and then attack a bunch
> of systems while he was on. He even has a freebsd root kit. :)

Every 14 year old kid too young to drive or grow pubic hair has a
FreeBSD rootkit.  That's nothing particularly special or noteworthy
these days, I hate to say. :)

> any suggestion to prevent futher break in is apprecaited.
> other than "not to run popper" anymore. (grin)

Watch bugtrax, www.rootshell.org, CERT, etc.  Actively admin your
system on a daily basis.  Those of us who do so were never hacked via
popper or generally fall prey to the usual hack of the month (my
popper was turned off no more than 2 hours after the first reports
started, erm, "popping" up on the net).

- Jordan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message