From owner-freebsd-questions@FreeBSD.ORG Wed Jan 18 15:46:45 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3645D16A41F for ; Wed, 18 Jan 2006 15:46:45 +0000 (GMT) (envelope-from hagemann1@egs.uct.ac.za) Received: from janeway.egs.uct.ac.za (janeway.egs.uct.ac.za [196.21.8.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6177B43D45 for ; Wed, 18 Jan 2006 15:46:44 +0000 (GMT) (envelope-from hagemann1@egs.uct.ac.za) Received: from [196.21.8.146] (helo=particle.egs.uct.ac.za) by janeway.egs.uct.ac.za with esmtp (Exim 3.36 #4) id 1EzFWD-0003m1-00 for freebsd-questions@freebsd.org; Wed, 18 Jan 2006 17:46:41 +0200 From: Kilian Hagemann Organization: University of Cape Town To: freebsd-questions@freebsd.org Date: Wed, 18 Jan 2006 17:46:51 +0200 User-Agent: KMail/1.8.1 References: <200601171907.17831.hagemann1@egs.uct.ac.za> <43CE5077.3060203@ntlworld.com> <44255.195.139.252.5.1137597225.squirrel@webmail.i13i.com> In-Reply-To: <44255.195.139.252.5.1137597225.squirrel@webmail.i13i.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200601181746.51461.hagemann1@egs.uct.ac.za> Subject: Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 15:46:45 -0000 On Wednesday 18 January 2006 17:13, chris@i13i.com pondered: > sendmail_enable="NONE" would do the same as all that other crap mentioned > i find it a waste of time trying to figure out how a hacker got in just > format the machine reinstall freebsd and secure the box up a bit and try > updating it when vulnerabilitie are out. And this shouldnt happen again Yeah, I'll have to look into that NONE vs all NO individually because it gave me hassles from the beginning (STILL sendmail stuff in /var/log/messages after disabling with NONE), but the important thing here is outside sendmail access was firewalled (see my other post and its attachment for ipfw rules). Anyway, I guess you're right, reinstalling and beefing up security will be easier. I just thought that if they didn't get in through brute-forcing my sshd (the only vulnerability I can think of so far), and the attack came from the internet (not some worm/virus on one of the Windows machines), it's some unpublished vulnerability in some part of FreeBSD that I'm sure others would like to know about. But hey, from what you guys are telling me that seems unlikely... -- Kilian Hagemann