From owner-freebsd-questions Tue Oct 2 2: 6:25 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 8217337B401 for ; Tue, 2 Oct 2001 02:06:19 -0700 (PDT) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f9296G670856; Tue, 2 Oct 2001 02:06:16 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Jason" , Subject: RE: I was rooted using telnet Date: Tue, 2 Oct 2001 02:06:15 -0700 Message-ID: <003301c14b21$7d8bc340$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 In-Reply-To: Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Jason et all, I know it's a bit late to jump in here but let's be clear: a couple of days ago YOU DISCOVERED that you were rooted by someone using a telnet exploit. I know it sounds like a tired old saw here folks but I'll repeat it again: Once a system has been root compromised it's completely untrustworthy unless nuked and repaved, and anything restored to it is certified clean. THIS INCLUDES SOURCES OF ANYTHING YOU WERE WORKING ON!!! It's entirely possible that the crackers rooted you months before you discovered it and were sufficiently clever about it that they cleaned up after themselves so that when they finally got careless and you discovered them, that you only THOUGHT that they had rooted you a few days ago. Once I get root on your machine I can alter anything I want and make you believe anything I want, if I'm sufficiently clever about doing it. Even the little baby wannabe crackers learn in cracking 101 that the very first thing to do once you got a system compromised is to install a plethora of back doors. Once that happens you can CVSUP and buildworld until the cows come home and it's not going to guarentee to kill all the trojans in the system. The crackers can easily install back doors in your source tree as well as the binaries. Face the facts - you got cracked by someone because you overlooked something and made a mistake. Understand that this isn't a reflection on you - everyone makes mistakes and the cracker was probably running some script that he was too stupid to understand it's functionality or how to modify it anyway. But, your deluding yourself if you think that you can somehow "clean up" you system by going through it and recompiling this and that. Only a complete remove and reinstall is going to guarentee that you have a system clean of any trojans. I know that people whine and cry about it because nobody likes backing up and the theory is somehow you can do an overwrite install that is going to preserve all your settings and such without the bother of typing them all in again. But, you have to own up that some mistakes that you make are going to have consequences that are going to be very costly, without quick fixes. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jason >Sent: Saturday, September 29, 2001 2:14 PM >To: questions@FreeBSD.ORG >Subject: I was rooted using telnet > > >Hello: > >A couple of days ago I was rooted by someone using a telnet exploit. I >have been cvsup'ing my sources regularly and was using 4.4-RC at the >time. I've since moved to 4.4-STABLE. It looks like they used some kind >of script. I still have it if anyone wants it. Since then I have turned >off telnet in inetd and blocked the port with a firewall. > >Anyone have any ideas on how a person could do this? I looks like this >script just tries to move a lot of data for a long period of time. > >--- >Jason >jason@jason-n3xt.org > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message