From owner-freebsd-stable@FreeBSD.ORG Thu Dec 10 09:29:01 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 928901065693 for ; Thu, 10 Dec 2009 09:29:01 +0000 (UTC) (envelope-from pprocacci@datapipe.com) Received: from EXFESMQ01.datapipe-corp.net (exchange.datapipe.net [64.106.130.71]) by mx1.freebsd.org (Postfix) with ESMTP id 5AD808FC17 for ; Thu, 10 Dec 2009 09:29:01 +0000 (UTC) Received: from [10.5.21.3] (192.168.128.24) by EXFESMQ01.datapipe-corp.net (64.106.130.71) with Microsoft SMTP Server id 8.1.393.1; Thu, 10 Dec 2009 04:18:51 -0500 Message-ID: <4B20BCEE.5020704@datapipe.com> Date: Thu, 10 Dec 2009 03:18:38 -0600 From: Paul Procacci User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: "squirrel@isot.com" References: <70b530187d5c4ef4336260f6fdf72193@mail.isot.com> In-Reply-To: <70b530187d5c4ef4336260f6fdf72193@mail.isot.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable Cc: FreeBSD-STABLE Mailing List Subject: Re: Hacked - FreeBSD 7.1-Release X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2009 09:29:01 -0000 >> But far as rtld vulnerability, doesn't it require at least a local user account? No, it requires a script and a kiddie. ;) You'd expect your "index.php" (or similar) files would require a ftp/ssh/telnet connection, but useful "kids" have useful resources 'n which these things are not always required. Anyone can execute any code (apparently) on your machine via the exploit, having anything they want running on your machine, (i.e. that can set their env to whatever they want and get access to your machine pre -p5. Your safest bet especially since you weren't patched to the latest FreeBSD version which includes the rtld patch, is to simply not trust your machine at all; regardless of whether you are patching it now or not. I'd personally save your data, reformat the machine, and reinstall the items you need. ~Cheers This message may contain confidential or privileged information. If you ar= e not the intended recipient, please advise us immediately and delete this = message. See http://www.datapipe.com/emaildisclaimer.aspx for further info= rmation on confidentiality and the risks of non-secure electronic communica= tion. If you cannot access these links, please notify us by reply message a= nd we will send the contents to you.