From owner-freebsd-questions Mon Dec 18 13:14:11 2000 From owner-freebsd-questions@FreeBSD.ORG Mon Dec 18 13:14:09 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from marlo.eagle.ca (marlo.eagle.ca [209.167.16.10]) by hub.freebsd.org (Postfix) with ESMTP id 4AE1737B400 for ; Mon, 18 Dec 2000 13:14:09 -0800 (PST) Received: from phantom (phantom.eagle.ca [209.167.16.15]) by marlo.eagle.ca (8.11.0/8.11.0) with SMTP id eBILACm17707; Mon, 18 Dec 2000 16:10:12 -0500 (EST) (envelope-from freymann@eagle.ca) Reply-To: From: "Gerald T. Freymann" To: "Jonathan Fosburgh" Cc: "Questions" Subject: RE: Hacker history file - OUCH Date: Mon, 18 Dec 2000 16:13:55 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 In-Reply-To: <3A3E7AC9.40306@mail.mdanderson.org> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG |O|> Do you know for sure it was an intruder? Had to be. All of this was done under the name of our backup software (amanda) |O|> The results of the su ought to be in /var/log/messages. |O|> Especially the one to toor. You should either see a success or failure message. Duh! Forgot about that. It only logs successful su's and there are none from anybody but staff since Nov 30th. |O|> Of course, he can only su to toor if the user he was in as is in |O|> group wheel. How true. I'm not sure how they got in, but supposedly it may not be to bad? The box is being replaced this week. I have Tripwire running on other boxes as of right now. -Gerry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message