From owner-freebsd-questions  Tue Jan  5 06:31:34 1999
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA20376
          for freebsd-questions-outgoing; Tue, 5 Jan 1999 06:31:34 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from mail.netsys.hn ([206.48.255.45])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA20368
          for <freebsd-questions@FreeBSD.ORG>; Tue, 5 Jan 1999 06:31:28 -0800 (PST)
          (envelope-from freebsd@netsys.hn)
Received: from [206.48.255.64] (dedicated.netsys.hn [206.48.255.64])
	by mail.netsys.hn (8.9.1/8.9.1) with SMTP id IAA27782;
	Tue, 5 Jan 1999 08:31:21 -0600 (CST)
Message-Id: <199901051431.IAA27782@mail.netsys.hn>
To: Jim Mock <jim@corp.au.triax.com>, Mike Alich <hostmaster@cctinc.net>
Subject: Re: HACKED & SECURITY
Date: Tue, 05 Jan 99 08:31:24 -0500
From: FreeBSD Questions <freebsd@netsys.hn>
X-Mailer: E-Mail Connection v2.5.03
CC: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

-- [ From: FreeBSD Questions * EMC.Ver #2.5.02 ] --

> Do a find for ... directories..
> 
> find / -name "..." -print

I was reading this article when I Decide to try this tests and I found this:

8:23 mail: {132} find / -name "..." -print
/usr/home/ggmsa/etc/...
8:24 mail: {133} 

Then I went into his directory and found:

8:27 mail: {134} more .history
logout
pine
ylogou^H^H
login jcisne
users
read
dir
cd
cat
gcc -c rdist-ex.c
more /etc/passwd
ezxi^H^H^H^H^Hexit
exit
finger
finger
who
finger qtaylor
ps alf
ps -alF
ps al
irc
BitchX
ircii
ircle
kill 5022
help
man
1
man
mail
pwd
cd
cd /
pwd
ls
cd /etc
ls
cat passwd
ls
cd passwd
pico
cat ^H^H^H^H^H^H^H
cat etc/passwsd
cat etc/passwd
cd cdup
cdup
help
erase set
cls
cat //etc/passwd
cat ///etc/p
cat ^H^H^H^H^H^H^H
cat ///etc
/cat
cat ///etc/p
8:27 mail: {135} 

Then I did a more on /etc/p and that is the /etc/passwd file.
 
> -- 
> : Jim Mock                      | [jim@corp.au.triax.com]       :
> : System Administrator          | http://www.triax.com/         :
> : Triax Internet Services       | ----------------------------- :
> : Portland, OR USA              | FreeBSD: The Power to Serve   :
> : Wagga Wagga, NSW Australia    | http://www.freebsd.org/       :

How can I be sure this guy still not in getting our passwds?
We had a hack with a sniffer so we upgraded to qpopper 2.53, still risks?

Thanks

P. Quintana

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message