From owner-freebsd-questions  Mon Apr 20 21:37:20 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA21966
          for freebsd-questions-outgoing; Mon, 20 Apr 1998 21:37:20 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA21956
          for <freebsd-questions@freebsd.org>; Tue, 21 Apr 1998 04:37:12 GMT
          (envelope-from julian@whistle.com)
Received: (from daemon@localhost)
	by alpo.whistle.com (8.8.5/8.8.5) id VAA22459;
	Mon, 20 Apr 1998 21:34:34 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22)
 via SMTP by alpo.whistle.com, id smtpd022456; Tue Apr 21 04:34:29 1998
Message-ID: <353C2095.345BF651@whistle.com>
Date: Mon, 20 Apr 1998 21:29:09 -0700
From: Julian Elischer <julian@whistle.com>
Organization: Whistle Communications
X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2.5-RELEASE i386)
MIME-Version: 1.0
To: tj <aggravator@aggravator.net>
CC: freebsd-questions@FreeBSD.ORG
Subject: Re: my freebsd su has been compromised, now what?
References: <199804210406.EAA17254@hub.freebsd.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

tj wrote:
> 
>
>  he also made himself a backdoor to
> root. I found the file(or did I?!?)

probably, he wasn't trying to hide it..

[...]

> do I have to start over, like my ISP friend recommends

did you install from CDROM?
if so make a list of all the files that differ from the 
2nd CD (live file system)


use 'find' to check for all SUID programs
and check them all
chack all the file sin /etc/for changes (compare against the 
cd or the distribution) and check the dates.
check his passwd entry and check /etc/ttys and /etc/group
(among other things).
it doesn't sound like he was doing much.. I might do that 
myself if I was setting up a machine, just in case I 
accidently shut myself out of root during the testing..

Just consider yourself as having learned a lesson.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message