On Mon, 28 Jul 1997, Robert Watson wrote:

=)> =)I'd be tempted to look in all the normal places -- sendmail, etc. What =)> =)daemons were running on the machine? Any web server processes? Also, I'd =)> =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is =)> =)in use.. Any use of NIS going on? Also, .rhosts arrangements can be =)> =)extremely unhappy if we already know (s)he is messing with DNS entries. =)> =)> sendmail is running as well as apache httpd... ftpd, telnetd, and =)> ircd. No NIS. ALl I know was he managed to changed everyone's .rhosts =)> file when it doesn't exist originally and the contents just had: =)> + + =)> in it. =) =)This guy sounds like either he has good tools, or good experience. For =)safety's sake, I'd guess the latter. All he needed was one sniffed =)password to get on the system, and then you may be stuck with known holes =)in application software. Most of the security problems I've seen have =)started with a sniffed password, but this comes from dormitory experience =):).

Yep, sniffing would work but can they actually sniff outside of the network?

=)Your best hope at this point is to shut down the system, boot on a floppy =)with a CDROM mounted, and then do a strategic MD5 checksum of all binaries =)and check for changes. If you're running STABLE, your best bet may be to =)sup down differences, but to reinstall the binaries necessary to support =)the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. =)If he's made enough changes to zap syslog, netstat, login-stuff, I =)wouldn't trust any other tools on the system currently.

Not even a rebuild of -current after cvs?

Cheers, Vince - vin...@MCESTATE.COM - vin...@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]