Thanks for all of your imput but i figured out what the guy did. He edit his login_conf file and put the file name as /etc/master.passwd and piped the out put to a file then when he re-loged on it displayed the master.passwd file contents then he ran crack on it and a week later had my root password this vulnerability is in freebsd4.3 and before.