Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 Apr 2001 11:42:18 -0700
From:      Jon Rust <jpr@vcnet.com>
To:        Gary Geisbert <ggeisbert@e-centives.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: 4.2S compromised: what now?
Message-ID:  <20010404114217.B23357@mail.vcnet.com>
In-Reply-To: <01040409504704.40117@fbsd.bethesda.emaginet.com>; from ggeisbert@e-centives.com on Wed, Apr 04, 2001 at 09:50:47AM -0400
References:  <20010404102928.A23357@mail.vcnet.com> <01040409504704.40117@fbsd.bethesda.emaginet.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Apr 04, 2001 at 09:50:47AM -0400, Gary Geisbert wrote:
> On Wednesday 04 April 2001 13:29, Jon Rust wrote:
> >
> > The thing that concerns me is, how did they get into this account?
> 
> I would start looking elsewhere on your network for answers.  Your network is 
> only secure as your weakest link.. :-\  Perhaps the user uses the same 
> password for all accounts, and someone rooted another machine on your 
> network, and setup a sniffer...?

She has no other accounts on the network. The system was apparently
broken into before I was running 4.2-S... probably 4.1.1-S from Oct 19.
Telnet was allowed, but she only accessed it from our LAN. This machine
runs apache, mysqld, ncftpd, ntpd, sshd, telnetd (inetd), and portmap.
Portmap, sshd, and telnet are wrapped, but apparently not wrapped well.
I thought this line

  ALL : PARANOID : RFC931 20 : severity auth.info : \
    twist /bin/echo "See RFC931. Connection attempt logged."

prevented users with no reverse DNS from connecting. Maybe sshd doesn't
recognize this option? (None of the IPs they connected from had reverse
DNS set-up.) Speaking of which, didn't openssh have an exploit a few
months ago? Maybe that was how they got in?

The other systems on the net appear to be fine, and are not open to any
users besides myself from a very short list of IPs.

jon

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010404114217.B23357>