Date: Wed, 18 Jun 1997 16:17:17 -0600 From: Chaotic To: "If you don't know...FIND OUT!" Cc: tacd@tacd.com Subject: Re: break in If you don't know...FIND OUT! wrote: > > Guys, > > You might have a disk-lamer on your homepage, but if someone > breaks into my computer and then e-mails my passwd file to a person > having an account on your domain -- I classify it as an illegal action. > Explain what happened, why, how etc.... It is not fun! The least you > can do is reveal who dis@tacd.com is! :)) > > Radomir > Radomir, We have no way of controlling what people e-mail to us. Your letter is an example of this. I don't want to come home from work and be accused of doing illegal actions for a) Having a virtual domain b) Having e-mail people can write to. We supply many people with e-mail aliases and respect the privacy of them. If they are indeed doing illegal things this would be something that should be resolved with their respective ISPs. I completely understand your concerns about security and if you would like to discuss security with me, I might be able to provide some useful ideas for making your machine more secure. As for the passwd file being mailed out, I'm sure you have changed all the passwd's on your machine. If you haven't , I would suggest that you do it right away. If you have users whos gecos information might be revealing to an intruder, I would suggest you contact each of them and explain the situtation to them. This will help lessen the impact of a social engineering attack. Other areas I would be concerned in are NFS, telnet, ftp, http, and other services you run on ports. If you had an intruder on your system there is a chance he/she could have discovered vulnerabilites in those areas for future access. You should also check for backdoors placed on your system. Check the inetd, check for .rhost files and hosts.equiv, check your cron, check the binaries on your system.. most importantly login and finger (other ones can be trojaned also) checking the inodes of these binaries will be a good indication if an intruder has tampered with them. Check your shared librarys. You will also want to look at all the suid root programs on your system, not just new ones that might spawn a root shell, but modified scripts or programs. These are the things that will protect you from an intruder and will help hinder further attempts to compromise the security of your system. If you would like me to evaluate any logs I would be happy to do so. But as a warning, sending logs of your system can alert people to possible security vulnerabilites that might exist and if you don't trust me, I wouldn't send them. Once again, I can't control who sends e-mail to accounts on our domain. Our web page is about security problems and hackers. This naturally attracts hackers to it. We recieve countless e-mails from people about this. The reason (I don't feel we have to justify it to anyone, but under the circumstances that caused you to write us I believe you deserve to know) we deal in such areas are because they fascinate us. I personally find UNIX security to be an ever changing evolving creature and thus find it fascinating, not only for the technical aspects of it, but also for the intricate nature of the sub-culture that is built around it. As a final note, I'll state once again.. We can't control who sends e-mail to our aliases. We will ask the person whos alias this is under if this was his/her doing and act accordingly to their response. But we will not blatently give up someones privacy because an e-mail was sent to thier alias. Kao Kao@tacd.com "Unnnnnngh... boobies.." - Encino Man