From owner-freebsd-questions Thu Oct 18 6:52:10 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ns2.wananchi.com (mail.wananchi.com [62.8.64.4]) by hub.freebsd.org (Postfix) with ESMTP id BEDDF37B403 for ; Thu, 18 Oct 2001 06:51:44 -0700 (PDT) Received: from wash by ns2.wananchi.com with local (Exim 3.33 #1) id 15uDZZ-000LfT-00; Thu, 18 Oct 2001 16:50:57 +0300 Date: Thu, 18 Oct 2001 16:50:57 +0300 From: Odhiambo Washington To: freebsd-questions@FreeBSD.ORG Cc: tomek@mpionline.com Subject: Re: I got hacked, I think Message-ID: <20011018165057.V3734@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-questions@FreeBSD.ORG, tomek@mpionline.com References: <20011018131823.Y621-100000@jodie.ncptiddische.net> <011e01c157cf$9b401700$f6f073d1@mpionline.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <011e01c157cf$9b401700$f6f073d1@mpionline.com> User-Agent: Mutt/1.3.23i X-Disclaimer: Any views expressed in this message,where not explicitly attributed otherwise, are mine alone!. X-Fortune: All of the true things I am about to tell you are shameless lies. -- The Book of Bokonon / Kurt Vonnegut Jr. X-Operating-System: FreeBSD 4.4-STABLE i386 X-Best-Window-Manager: XFCE X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. X-Uptime: 4:23PM up 3 days, 6:37, 1 user, load averages: 0.12, 0.10, 0.08 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG * Tomek [20011018 15:21]: writing on the subject 'I got hacked, I think' | Hello there, | Hope I dont sound like a fool posting 2 seperate problems in the same | day. But while looking for the first problem I found many unusual | things. I will try to keep it to the point to not waste anyone's time. I | appreciate ANY help. | | ===WHAT I FOUND (quick snips)=== | =IN /etc/passwd: l-x:*:1003:0:User &:/home/l-x:/bin/sh | =IN /etc/master.passwd: l-x:$4$(snip):1003:0::0:0:User | &:/home/l-x:/bin/sh Hmm, are you saying you know absolutely NOTHING about user l-x ??? | =IN /var/log/userlog: 2001-10-06 14:00:17 [unknown:useradd] | l-x(1003):wheel(0):User &:/home/l-x:/bin/sh Aha, you've _never_ even tried useradd??? useradd is not a FreeBSD command but a Linux one. Aren't you from a Linux background? If no, then someone from that world gained access to your box. Damn! how can they when Linux security is so weak? Think about it. I don't intend to start a war with Linux guys here but Linux out of the box is as bad as leaving your door open and taking a hike. | =NOTE: my crashing/rebooting problem mentioned earlier started on 9/9/01 | =NOTE: "adduser" log shows nothing That is quite fine as long as you've never added any user before. If you did then someone erased it and that's only possible when they gain root access. | =IN security summary for 9/27/01: 58c58 | < 2539603 -r-xr-sr-x 1 bin mail 26292 Apr 19 13:11:11 2001 | /usr/local/libexec/cucipop | > 2539603 -r-xr-sr-x 1 bin mail 26292 Apr 19 13:11:11 2001 | /usr/local/bin/bzcat | | =IN security summary for 10/06/01: 58a59 | > 2547533 ---s--x--x 1 Broot wheel 83004 Sep 26 21:42:25 2001 | /usr/local/bin/sudo Again, sudo is not installed in FreeBSD by default. Did you install it from the ports? BTW how many people have access to your box? Sudo is used for running privileged commands. If you did not install it then think again. In my case, I use sudo daily but whatever i do I always see in /var/log/messages. Does yours show any? | =IN /var/log/messages: | messages:Oct 6 14:01:00 P7 login: LOGIN l-x REFUSED (ACCESS) FROM | 212.199.120.9 | 8 ON TTY ttyp0 | messages:Oct 6 14:01:21 P7 login: LOGIN l-x REFUSED (ACCESS) FROM | 212.199.120.9 | 8 ON TTY ttyp0 That is now it. The hacker logged in, created user l-x, erased his tracks from adduser.log and now is attempting login from 212.199.120.9 - you see? | | =IN setuid.today I see a LOT of entries, even though I haven't been | doing anything. For example: | 4515661 -rwsr-xr-x 1 Broot news 7347 Apr 18 20:45:13 2001 | /usr/local/news /bin/auth/passwd/ckpasswd Okay, I don't know of any "Broot" in FreeBSD and neither does FreeBSD have /bin/auth/ - man format your box asap and reinstall. You were hacked. You will remember that as soon as you complete to install a system, always check /etc/inetd.conf and disable any service you don't need. Then go into /etc/hosts.allow and ONLY allow hosts from your LAN to access those services you decide to run, with the exception of the MTA (for the time being though). | 4150643 -r-sr-x--- 1 Broot news 32202 Apr 18 20:44:09 2001 | /usr/local/news /bin/inndstart I don't know of this /bin/inndstart - might be a back orifice thingy!!! | =NOTE: I found my my /var/log/security EMPTY | =VERSION: FreeBSD 4.3-RELEASE (GENERIC) #0: Sat Apr 21 10:54:49 GMT 2001 That is fine. Mine is also empty. Normally firewall programs log into that file. | ===COMMENTS=== | I know I was NOT doing anything on 09/27/01, 10/06/01 or any of the days | in question, so I know it wasn't me. I do not allow ANY accounts on our | server other than my own, and I do not use passwords that I use anywhere | else. I have said all I can say, for now ;-) | ===QUESTIONS=== | Forgive me if this is overwhelming, I have no idea what else to do but | ask questions. I have browsed around the usual resources but I am asking | these question in context of above, not in general really. | | Is it normal for /var/log/security to be empty? YES | Is it normal to have lots of entries in setuid.today (ie: is it caused | by general server activity)? If you install those apps. | Any suggestions of what logs/places I should check next to find out WHAT | has been done to my system and what it was used for? (ie: a connection | log to see when this hacker was connecting, if it exists). You already saw it. I sincerely believe you should format that disk and resinstall. Someone else might have a diff opinion. -Wash S y s t e m s A d m i n i s t r a t o r -- ~\\_ Odhiambo Washington \\\\ Wananchi Online Ltd., `\\\\\ 1st Flr Loita Hse, Loita Street |\\\\\ PO Box 10286,00100-NAIROBI,KE. \\\\\|__.--~~\ Fax: 254 2 313985-9 _--~ / Fax: 254 2 313922 /~ ////// _-~~~~' E-mail: wash@wananchi.com ('-//////-// URL : http://www.wananchi.com //////(((-) GSM: 254 72 743 223 / 254 733 744 121 /////" _///" +++ Be prepared... that's the Boy Scout's solemn creed. Be prepared... to be clean in word and deed. Don't solicit for your sister, that's not nice, Unless you get a good percentage of her price ... -- Tom Lehrer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message