Date: Wed, 4 Apr 2001 10:49:08 -0400 From: Gary Geisbert <ggeisbert@e-centives.com> To: Jon Rust <jpr@vcnet.com> Cc: freebsd-questions@freebsd.org Subject: Re: 4.2S compromised: what now? Message-ID: <01040410490806.40117@fbsd.bethesda.emaginet.com> In-Reply-To: <20010404114217.B23357@mail.vcnet.com> References: <20010404102928.A23357@mail.vcnet.com> <01040409504704.40117@fbsd.bethesda.emaginet.com> <20010404114217.B23357@mail.vcnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 04 April 2001 14:42, Jon Rust wrote: > > She has no other accounts on the network. The system was apparently > broken into before I was running 4.2-S... probably 4.1.1-S from Oct 19. > Telnet was allowed, but she only accessed it from our LAN. This machine is it possible that someone had a sniffer running on your LAN? Do you have remote users via a VPN? I've seen remote machines be compromised, and people use them as entrypoints into a firewalled network (*waves to AOL*) > DNS set-up.) Speaking of which, didn't openssh have an exploit a few > months ago? Maybe that was how they got in? It's very possible.. If my memory serves, OpenSSH < 2.3.0 was remotely exploitable. > > jon I hate it when people say things like this after the fact, but you may want to setup an IDS box on your internal network. I've had good luck with snort.. as always, ymmv :-\ Good luck, // Gary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01040410490806.40117>