From owner-freebsd-questions Sun Jan 14 6:42:39 2001 Delivered-To: freebsd-questions@freebsd.org Received: from bryden.apana.org.au (bryden.apana.org.au [203.3.126.129]) by hub.freebsd.org (Postfix) with ESMTP id 02DE537B401 for ; Sun, 14 Jan 2001 06:42:15 -0800 (PST) Received: from roadrunner (roadrunner.apana.org.au [203.3.126.132]) by bryden.apana.org.au (8.11.1/8.11.1) with SMTP id f0EEgAA33768 for ; Mon, 15 Jan 2001 00:42:12 +1000 (EST) (envelope-from dougy@bryden.apana.org.au) Message-ID: <014d01c07e39$aa566c00$847e03cb@apana.org.au> From: "Doug Young" To: Subject: security issue with 4.2 Date: Mon, 15 Jan 2001 00:52:47 +1000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_014A_01C07E8D.7ADD8400" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_014A_01C07E8D.7ADD8400 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I'd appreciate feedback from the list on the following issue. As far as = I can tell, the attempted intrusion was not successful, however I think = its probably time to take another look at increasing security measures & = hopefully someone can suggest sources of suitable documentation. I tend = to rely fairly heavily on the user-friendly sites such as bsdvault.net & = freebsddiary.org but if there's other sources of fairly explicit info on = this subject I'd be very interested in knowing. Some weeks after installing 4.2 & instituting as many security features = as I considered=20 reasonable for a machine with nothing of particular value on it, I = discovered the following entries in /var/log/messages Jan 14 11:52:41 bryden ftpd [32545]: /etc/pwd.db: No such file or = directory Jan 14 12:04:50 bryden ftpd [32559]: /etc/pwd.db: No such file or = directory which I presume means some vandal was intent on mischief=20 The IP of the culprit is "216.232.154.85", nslookup tells me that = belongs to "atg93398y2j4.bc.hsia.telus.net" Since the number resolves to a name I figure the user probably has a = permanent account with telus.net, so notification of the telus.net = webmaster is in order.=20 ------=_NextPart_000_014A_01C07E8D.7ADD8400 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

I'd appreciate feedback from the list = on the=20 following issue. As far as I can tell, the attempted intrusion was not=20 successful, however I think its probably time to take another look at = increasing=20 security measures & hopefully someone can suggest sources of = suitable=20 documentation. I tend to rely fairly heavily on the user-friendly sites = such as=20 bsdvault.net & freebsddiary.org but if there's other sources of = fairly=20 explicit info on this subject I'd be very interested in = knowing.

Some weeks after installing 4.2 & = instituting=20 as many security features as I considered

reasonable for a machine with nothing = of particular=20 value on it, I discovered the following entries in=20 /var/log/messages

Jan 14 11:52:41 bryden ftpd [32545]: = /etc/pwd.db:=20 No such file or directory

Jan 14 12:04:50 bryden ftpd [32559]: = /etc/pwd.db:=20 No such file or directory

which I presume means some vandal was = intent on=20 mischief

The IP of the culprit is = "216.232.154.85", nslookup=20 tells me that belongs to

"atg93398y2j4.bc.hsia.telus.net"

Since the number resolves to a name I = figure the=20 user probably has a permanent account with telus.net, so notification of = the=20 telus.net webmaster is in order.

------=_NextPart_000_014A_01C07E8D.7ADD8400-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message