Re: Root password changed

From: sysadmin (sysadmin@wvths.com)
Date: 01/06/03

Next message: Security Consultant: "Re[2]: Spoofed RFC1918 Network Source Addresses..."

Previous message: Chris Barford: "Re: /sumthin Revisited"
In reply to: RCS: "Root password changed"
Next in thread: Adam Bultman: "Re: Root password changed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 06 Jan 2003 15:33:34 -0500
From: sysadmin <sysadmin@wvths.com>
To: RCS <rcs@flashwave.com>, incidents@securityfocus.com

RCS wrote:

>I have no idea how the root password on my FreeBSD 4.0 system was =
>changed, only I have access to it and I have only SMTP (sendmail =
>8.12.1), POP3 (qpopper), apache 1.3.26 and BIND 8.2.3 . Everything else =
>is restricted by ACLs at the router.
>
>I had to enter single user mode and change it today.
>
>I have thoroughly checked running processes and the logs and there is =
>nothing suspicious.=20
>
>Please give me your opinion on what could have caused this.=20
>
>Thanks
>
>--
>Roberto Cardona Jr. =20
>
>--
>Roberto Cardona Jr.
>IT/IS Manager
>Corporate Office Centers | http://www.corporateofficecenters.com
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>
>
Versions of sendmail, apache & BIND that you're running aren't the
latest and possibly contain buffer overflows or other vulnerabilities .
Maybe it's time to start patching :p ?

Also , you might want to change console line in /etc/ttys to `unsecure`
as it's quite easy for someone to reboot your server into singe-user &
do what you did ( i.e. change the root passwd back ) .

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Security Consultant: "Re[2]: Spoofed RFC1918 Network Source Addresses..."
Previous message: Chris Barford: "Re: /sumthin Revisited"
In reply to: RCS: "Root password changed"
Next in thread: Adam Bultman: "Re: Root password changed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: A small quandary
... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
(Incidents)
RE: Anyone seen this before?
... The answer to this is, in task manager, you can right click on any app ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
Re: fbi.gov weirdness?
... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
Re: Code Red - A Possible Origin?
... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
Re: Code Red - A Possible Origin?
... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
(Incidents)