From owner-freebsd-security Sun Jun 23 23:56:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA28785 for security-outgoing; Sun, 23 Jun 1996 23:56:22 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA28779; Sun, 23 Jun 1996 23:56:19 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id XAA27306; Sun, 23 Jun 1996 23:51:37 -0700 From: Terry Lambert Message-Id: <199606240651.XAA27306@phaeton.artisoft.com> Subject: Re: I need help on this one - please help me track this guy down! To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Sun, 23 Jun 1996 23:51:37 -0700 (MST) Cc: guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org In-Reply-To: <10326.835597770@time.cdrom.com> from "Jordan K. Hubbard" at Jun 23, 96 11:29:30 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Hmmm. We have reason to believe that he *didn't* get root (though > we're still assuming he did, just to be paranoid) and if the mod times > can be trusted, hosts.equiv hasn't been touched in many months (and > localhost is commented out). 1) Do not believe this. Assume he got root. 2) Assume your password changes are mailed out as cleartext by your passwd program. 3) Assumed md5 and checksum have been hacked to lie about themselves and any other files affected. 4) Assume system time stamps were changed. 5) Assume all log files were edited. 6) Best approach: reinstall the system (from distribution, not backup --- no telling how long he was there). 7) Turn off the stupid "password must meet these criteria" on the password change. All it does is reduce the search space a hacker needs to apply. 8) Put spoofing filters on your firewall; basically, look for the response bit. 9) Make sure you aren't running routed -q. 10) Turn of source routing on your gateway, if it's on. If you need help getting the FBI involved, tell them you had "munitions" on the machine. ;-). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.