From owner-freebsd-security Mon Jul 28 17:45:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA18243 for security-outgoing; Mon, 28 Jul 1997 17:45:20 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA18236 for ; Mon, 28 Jul 1997 17:45:11 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id UAA27505; Mon, 28 Jul 1997 20:44:50 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id UAA09761; Mon, 28 Jul 1997 20:44:45 -0400 (EDT) To: Vincent Poy cc: "Jordan K. Hubbard" , security@FreeBSD.ORG, "[Mario1-]" , JbHunt From: "Gary Palmer" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 16:15:13 PDT." Date: Mon, 28 Jul 1997 20:44:45 -0400 Message-ID: <9758.870137085@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote in message ID : > On Mon, 28 Jul 1997, Jordan K. Hubbard wrote: > > =)I think you are describing the symptom, not the problem. > =) > =)This looks very much like a system which was broken into and then > =)trojan'd to allow easier, more invisible access. How do you know, > =)for example, that your telnetd is really telnetd? Did you verify that? ;) > > Well, because I connect to the system using telnet ;) Also, this > guy has been known to break in to machines > (theca@wil-de7-10.ix.netcom.com). This is the person who also hacked > irc.hardlink.com. I think this person goes around hacking machine after > machine, and nobody does anything about it. If this hack caused loss of service, notify your local (or state) police. They'll do something. > =)Also, I'd check that inetd.conf file again and make _really sure_ you > =)haven't left remote shell access enabled - a lot of people miss that > =)because it's not explicitly labelled "rlogin" like they might expect. > I checked and disabled everything except telnetd in > /etc/inetd.conf and rebooted the machine and then he kicked all of us who > are admins out and shutdown the system. Vince, I hate to say this, but you really need to learn more about administring a system. Do you use SSH for secure access for people who have root access? If not, you are *ASKING* to be hacked every day of the week. If you don't use SSH, do you use one-time passwords (e.g. skey?) How do you know your telnetd binary is what it claims to be? Your machine has been compromised to the *ROOT* level. *EVERY* single binary and file on that machine *COULD HAVE BEEN REPLACED*. Take that machine off the net *NOW* and work on it from console. If that is not an option, then you really need to start learning (fast) about just what a hacker can do to your system. If he really has that level of access, you are *SCREWED* right now without console access. Even if you put sshd on there now, he could have it replaced with his own version before you could make use of it and kick him off. And I must say, if you haven't taken reasonable steps to secure your admin sessions, and following the security and cvs mailing lists for bugs, then you really have been asking for this. I know (from experience) just what it takes to run a shell server, and just what hackers these days can do with 5 minutes of their spare time. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info