Date: Wed, 19 Nov 1997 11:20:39 -0800 (PST) From: Randy Katz <randyk@ccsales.com> To: WUSTL ListProc <wu-ftpd@wugate.wustl.edu> Cc: hackers@freebsd.org Subject: strange things...HELP!!! Message-ID: <Pine.BSF.3.91.971119111532.26571A-100000@ccsales.ccsales.com> In-Reply-To: <Pine.LNX.3.96.971119085547.20861C-100000@ns1.fni.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, I tried to find out how this hacker is doing it on an ISP list and they said I was a hacker...HELP!!! The hacker ftp's into our server as a valid user (we will cancel him as soon as we know how to keep him out). Hacker copies /etc/master.passwd to his home directory. Hacker modified master.passwd. Hacker copies it back to /etc/master.passwd. How is he doing this? He does it fast (1 min. max). /etc/master.passwd is root/wheel 600. The hacker's account is not grouped under wheel. /etc/ is root/wheel 755. Is there something I'm doing wrong??? He can do it on any machine in our network. Don't try ccsales.com it's an old 2.1.0 FreeBSD box which I just use for personal mail. He has hacked it on FreeBSD 2.2.2 running wu-ftpd (BETA-13,14 & 15). HELP!!! Thanx, Randy Katz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.971119111532.26571A-100000>