---------- Forwarded message ---------- Date: Wed, 18 Jun 1997 20:08:08 -0400 (EDT) From: System privileged account To: Chaotic@tacs.com Cc: phill@tacd.com Subject: break-in, part II Hi guys, Here's more info on that recent break-in into my machine. I've been very busy at work today, so I really didn;t have time to check every little thing, but I'll tell you what I did so far, as well as what I might do: I come to work this morning and log on to check mail and if the system is up and running. As I routinelly do, I check last log -- and what a surprise -- a few hours before a user r00p logged on and stayed for 3 minutes r00p ttyp4 intake.MADRIVER. Wed Jun 18 06:32 - 06:35 (00:03) , needless to say that such an account never existed before. Also, I never heard of this domain "madriver.com". So I check /etc/passwd and such user is not in it. Also, in /var/spool a new directory was created locate... what an innocent name :)) But it is sad for a "hacker" to break in, do almost no cleaning behind himself and even worse, e-mail passwd file using root account (by pine). Hey, you gotta be either stupid or sumfin to e-mail and not delete sent message from the "sent-messages" folder. It reveals where the file was e-mailed to: dis@tacd.com Thus I e-mailed you guys. I know you sure cannot control who's sending what kind of messages to whom, but you also understand that if any criminal activity has been reported, you have to lock or remove his acount (or whatever he is using on your server). I am still trying to figure out how he got in. I have sendmail 8.8.5 and the maillog says: Apparently, imapd was used: imapd[14485]: connect from 208.206.182.145 (from secure log) Any advice? Thanks in advance, Radomir