Date: Sat, 2 Dec 1995 19:09:40 +0000 () From: Michael Smith <msmith@atrad.adelaide.edu.au> To: rdugaue@calweb.com (Robert Du Gaue) Cc: jkh@time.cdrom.com, security@FreeBSD.ORG Subject: Re: ****HELP***** Message-ID: <199512021909.TAA21321@genesis.atrad.adelaide.edu.au> In-Reply-To: <Pine.BSF.3.91.951130003836.16443A-100000@web1.calweb.com> from "Robert Du Gaue" at Nov 30, 95 00:55:10 am
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Du Gaue stands accused of saying: > Well it's a regular user. Is this the normal method? Reassign him a new > login id? One thing is though is that he's a dedicated fix-ip account too > with a registered domain so I'm hesitate to disable his system because of > something someone is doing to him. I can remove his locally account, but > the hacker has also gone into the radius /etc/raddb/users file and > removed his fixed IP login also. Just on the networking side, check that you _don't_ have the bpf code (options bpfilter n) in the FreeBSD kernel. Do a virgin install to another machine and check the permissions on everything in /dev, and sizes, dates and _md5_checksums_ of all of your system binaries. Jordan; how hard would it be to generate a file with the md5's of a stock release system's "standard binaries" for this sort of thing? > > I'm curious how he got ahold of the real password file - are you sure > > it wasn't just the shadow passwords? > > When we speficially asked the user if there was an '*' in the second > field he said 'no, a bunch of garbage characters'. I would presume you've checked the permissions on /etc/master.passwd, /etc/pwd.db and /etc/spwd.db? Change the admin passwords on the portmaster too (if it has that sort of thing). Change your root password too. (obviously 8) > Really???? Has Law Enforcement finally figured out this is serious shit? > I was under the impression that most agenices have no clue on what to do > and how to do anything about it. Hell yes. There's money in the industry now 8) -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 041-122-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] "Who does BSD?" "We do Chucky, we do." [[
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199512021909.TAA21321>