From owner-freebsd-security Sun Aug 20 9:11: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from ajax2.sovam.com (ajax2.sovam.com [194.67.1.173]) by hub.freebsd.org (Postfix) with ESMTP id 1E1A837B423 for ; Sun, 20 Aug 2000 09:11:02 -0700 (PDT) Received: from ts16-a98.dial.sovam.com ([195.239.3.98]:1853 "EHLO pentium" ident: "NO-IDENT-SERVICE[2]" whoson: "expohard@online.ru" smtp-auth: TLS-CIPHER: TLS-PEER: ) by ajax2.sovam.com with ESMTP id ; Sun, 20 Aug 2000 20:10:52 +0400 Reply-To: From: "Vladimir I. Kulakov" To: Subject: "snmp.sample" in /usr/local/etc/rc.d/ Date: Sun, 20 Aug 2000 20:09:44 +0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: 7bit Message-Id: <20000820161100Z274714-23170+33643@ajax2.sovam.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, all ! I've just moved my server from FreeBSD 2.2.5 to 4.0 due to total hardware upgrade and many security holes. After upgrade I've mounted the hard disk from the previous mashine and moved all user's data from /usr/home/ from it to the new hard disk. The new mashine had new root password, of course. But at the next day after upgrade I've suddenly noticed two new scripts in /usr/local/etc/rc.d/ which intended to start at every bootup process and which I've never installed. Moreover, at the /usr/local/sbin/ there two more files appeared (snmpd and the second something like this). I've never installed snmp on that mashine and mtree tells me such files never existed there. In the log files there are nothing special. The new system was installed from a "clear" distribution. Was this a troyan programs? How can I check my server for such security holes? And how such programs could be installed? May be my mistake was mounting my old disk with securigy holes then working connected to the Internet ? But how the hacker could execute programs even from insecure disk on a secure mashine? Help me, please !!! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message