I need some answers, badly. The OS was SunOS 4.1.3_U1B. The machine was a 4/470. A site I was helping on was broken in and maliciously destroyed the other day (rendered un-login-able), apparantly via a hole I am unaware of (thanks for nothing, security thru obscurity folks - the crackers DO have information that is denied us 'ordinary' folks). This was a new install, and it lasted about 4 days. One person heard thru the cracker grapvine that root was broken thru /bin/mail. HOW?! The permissions- fixing script from Sun had been run, plus things like arp, chill and rdist were made unavailable to users (chmod o-rx). Rdist was replaced by the fixed version and made unavailable for use to users (chmod o-rx). The original passwd command was made mode 400, as well as yppasswd, and a replacement passwd command was installed that didn't have the -F option, or the chfn or chsh options. The C2conv script had also been run. Sendmail was replaced by the newest version with all the fixes, and bind 4.9.2 replaced the original nameserver, as well as its resolver library. All programs replaced were renamed and made mode 400, owner root. Newsyslog was also chown'd to root, and the chmod 666 $LOG was changed to 644. /etc/utmp was also changed to mode 644. Without better info, all the above work was a total waste of time. Can someone out there please infomrm me how these cracker types are getting root privs, and how one can stop it short of disconnecting the machine? And most important, how one can test for these vulnerabilities, and FIX them. Is there a hole in /bin/mail? How does one test for it (I am working on a port of net-2s /bin/mail replacement). Also, how can one prevent anyone from being able to forge mail via the -f option? One cannot run like this, defenseless against malicious people getting their kicks ripping the machine apart at will. The site involved is to be a dialup public-access site, so isolating it is not an option (and if people must disconnect from the world to stay whole, what use is the machine)? Please help! I need GOOD information - not "X is broken - fix it" without info as to WHY its broken and HOW it is fixed and VERIFYING it is fixed. The insight so obtained will also be of use in checking for other holes. Thanks - I will summarize. -- pat@rwing [If all fails, try: rwing!pat@eskimo.com] Pat Myrto - Seattle WA "No one has the right to destroy another person's belief by demanding empirical evidence." -- Ann Landers, nationally syndicated advice columnist and Director at Handgun Control Inc.