*BSD News Article 48858


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!swidir.switch.ch!scsing.switch.ch!news.belwue.de!news.dfn.de!Germany.EU.net!howland.reston.ans.net!news.cac.psu.edu!news.math.psu.edu!hudson.lm.com!newsfeed.pitt.edu!gatech!news.mathworks.com!news.kei.com!babbage.ece.uc.edu!news.cinenet.net!island.interverse.com!user
From: iverse@cinenet.net (Richard Gilligan)
Newsgroups: comp.unix.bsd.bsdi.misc
Subject: Disturbing Security Problem
Date: Mon, 14 Aug 1995 18:35:33 -0800
Organization: Cinenet Communications,Internet Access,Los Angeles;310-301-4500
Lines: 14
Message-ID: <iverse-1408951835330001@island.interverse.com>
NNTP-Posting-Host: island.interverse.com

Today at about 3:00 all of the passwords disappeared from the BSDi system
I am administering.  Login was possible using any valid user name -no pass
word was required.  Any user could SU to root with out a password
regardless of their group.  This machine is shared by 10 users with
accounts and passwords and is connected to the internet running httpd,
telnet, ftp, smtp.

Has anyone ever had this happen?  Is it a mistake I made or have we been
attacked?  If it happened to you how would you go about investigating what
might have happened? Most important- I would greatly appreciate advice on
how to clean up after such an episode. (I feel unclean)

Thanks in advance for your help,
Richard Gilligan