Re: Root password changed

From: sysadmin (sysadmin@wvths.com)
Date: 01/06/03

  • Next message: Security Consultant: "Re[2]: Spoofed RFC1918 Network Source Addresses..."
    Date: Mon, 06 Jan 2003 15:33:34 -0500
    From: sysadmin <sysadmin@wvths.com>
    To: RCS <rcs@flashwave.com>, incidents@securityfocus.com
    
    

    RCS wrote:

    >I have no idea how the root password on my FreeBSD 4.0 system was =
    >changed, only I have access to it and I have only SMTP (sendmail =
    >8.12.1), POP3 (qpopper), apache 1.3.26 and BIND 8.2.3 . Everything else =
    >is restricted by ACLs at the router.
    >
    >I had to enter single user mode and change it today.
    >
    >I have thoroughly checked running processes and the logs and there is =
    >nothing suspicious.=20
    >
    >Please give me your opinion on what could have caused this.=20
    >
    >Thanks
    >
    >--
    >Roberto Cardona Jr. =20
    >
    >--
    >Roberto Cardona Jr.
    >IT/IS Manager
    >Corporate Office Centers | http://www.corporateofficecenters.com
    >
    >
    >----------------------------------------------------------------------------
    >This list is provided by the SecurityFocus ARIS analyzer service.
    >For more information on this free incident handling, management
    >and tracking system please see: http://aris.securityfocus.com
    >
    >
    Versions of sendmail, apache & BIND that you're running aren't the
    latest and possibly contain buffer overflows or other vulnerabilities .
    Maybe it's time to start patching :p ?

    Also , you might want to change console line in /etc/ttys to `unsecure`
    as it's quite easy for someone to reboot your server into singe-user &
    do what you did ( i.e. change the root passwd back ) .

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com



    Relevant Pages

    • RE: A small quandary
      ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
      (Incidents)
    • RE: Anyone seen this before?
      ... The answer to this is, in task manager, you can right click on any app ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • Re: fbi.gov weirdness?
      ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • Re: Code Red - A Possible Origin?
      ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • Re: Code Red - A Possible Origin?
      ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)