Date: Wed, 22 Jul 1998 00:13:29 -0600 From: Brett Glass <brett@lariat.org> To: Jim Shankland <jas@flyingfox.com>, ahd@kew.com, leec@adam.adonai.net Cc: security@FreeBSD.ORG Subject: Re: hacked and don't know why Message-ID: <199807220613.AAA26581@lariat.lariat.org> In-Reply-To: <199807220536.WAA11804@biggusdiskus.flyingfox.com> References: <Pine.BSF.3.96.980721185446.5721A-100000@adam.adonai.net>
next in thread | previous in thread | raw e-mail | index | archive | help
The symptoms aren't hard to understand. As I found out when we were hit by the same hack, buffer overflow exploits also hose memory.... The disk cache, kernel data, possibly even page tables can be corrupted. Nothing's safe. If you do anything to your file system before rebooting, you can wind up with corrupted directories and worse. This happened to us. --Brett At 10:36 PM 7/21/98 -0700, Jim Shankland wrote: >"Lee Crites (ASC)" <leec@adam.adonai.net> writes: > >> In my case, the bin directories (/bin, /sbin, /usr/bin, >> /usr/sbin, etc) were still there, just that every program was >> replaced with the exact same "dummy" program. All were, as I >> recall, around 180k (exact same size with cmp showing no >> differences in any of them. The funny thing is that ls did what >> ls was supposed to do, ps did what it was supposed to do, etc, >> even though they were the same size and cmp'd as identicle. > >I *definitely* want to know how to squeeze every executable in >/bin, /sbin, /usr/bin, and /usr/sbin into one 180KB file. I'll >bet Jordan would, too, if he hadn't foresworn working on sysinstall :-). > >The symptoms you describe (not counting the blow to the head), as >well as Drew's, make me think "filesystem damage due to failing/flakey >hardware" before "security compromise." Can't say for sure, >of course; and in both cases, the evidence is gone. But I think >you may be jumping to conclusions a bit to assert, "We were hacked >like this two weeks ago." > >Jim Shankland >Flying Fox Computer Systems, Inc. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807220613.AAA26581>