Date: Wed, 29 Aug 2001 22:04:06 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Brian <bbayorgeon@new.rr.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Ok, I have been hacked, toor exploited apparently Message-ID: <20010829220406.A80634@xor.obsecurity.org> In-Reply-To: <ILECJPOKCPCCHDEMKLBNMENICEAA.bbayorgeon@new.rr.com>; from bbayorgeon@new.rr.com on Wed, Aug 29, 2001 at 10:48:44PM -0500 References: <ILECJPOKCPCCHDEMKLBNMENICEAA.bbayorgeon@new.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Aug 29, 2001 at 10:48:44PM -0500, Brian wrote: > 7-info.log:Aug 7 08:15:46 ceil telnetd[24924]: ttloop: peer > died: No such file or directory > daemon.log:Aug 7 08:15:46 ceil telnetd[24924]: ttloop: peer > died: No such file or directory > 8-debug.log:Aug 7 08:47:55 ceil passwd: user toor changed their > local password > user.log:Aug 7 08:47:55 ceil passwd: user toor changed their > local password They got in via telnetd, changed the password of toor (an alternate root account usually used for convenience so you can use a different login shell for it) so they could get back in, and then did various other stuff you probably have no chance to completely track down. At this point you need to: * Wipe the system and reinstall it -- otherwise, you'll probably miss backdoors they've left behind. * Don't enable telnetd until you can patch it. Don't go back on the net with a vulnerable telnetd or it will just happen again. * Read the security advisories at http://www.freebsd.org/security and *subscribe to a mailing list to receive notification of future vulnerabilities!* * Patch existing security holes in your release, or take appropriate workarounds as detailed in the advisories. Kris --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7jclGWry0BWjoQKURArEXAKDi82aHCcLkwtBVRsbCkXjl1WEuYQCgvMVm ZMyk59s9Xt/mMPLwAHWb5B8= =5lli -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010829220406.A80634>