Date: Thu, 18 Oct 2001 16:50:57 +0300 From: Odhiambo Washington <wash@wananchi.com> To: freebsd-questions@FreeBSD.ORG Cc: tomek@mpionline.com Subject: Re: I got hacked, I think Message-ID: <20011018165057.V3734@ns2.wananchi.com> In-Reply-To: <011e01c157cf$9b401700$f6f073d1@mpionline.com> References: <20011018131823.Y621-100000@jodie.ncptiddische.net> <011e01c157cf$9b401700$f6f073d1@mpionline.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Tomek <tomek@mpionline.com> [20011018 15:21]: writing on the subject 'I got hacked, I think'
| Hello there,
| Hope I dont sound like a fool posting 2 seperate problems in the same
| day. But while looking for the first problem I found many unusual
| things. I will try to keep it to the point to not waste anyone's time. I
| appreciate ANY help.
|
| ===WHAT I FOUND (quick snips)===
| =IN /etc/passwd: l-x:*:1003:0:User &:/home/l-x:/bin/sh
| =IN /etc/master.passwd: l-x:$4$(snip):1003:0::0:0:User
| &:/home/l-x:/bin/sh
Hmm, are you saying you know absolutely NOTHING about user l-x ???
| =IN /var/log/userlog: 2001-10-06 14:00:17 [unknown:useradd]
| l-x(1003):wheel(0):User &:/home/l-x:/bin/sh
Aha, you've _never_ even tried useradd??? useradd is not a FreeBSD command but
a Linux one. Aren't you from a Linux background? If no, then someone from that
world gained access to your box. Damn! how can they when Linux security is so
weak? Think about it. I don't intend to start a war with Linux guys here but
Linux out of the box is as bad as leaving your door open and taking a hike.
| =NOTE: my crashing/rebooting problem mentioned earlier started on 9/9/01
| =NOTE: "adduser" log shows nothing
That is quite fine as long as you've never added any user before. If you did
then someone erased it and that's only possible when they gain root access.
| =IN security summary for 9/27/01: 58c58
| < 2539603 -r-xr-sr-x 1 bin mail 26292 Apr 19 13:11:11 2001
| /usr/local/libexec/cucipop
| > 2539603 -r-xr-sr-x 1 bin mail 26292 Apr 19 13:11:11 2001
| /usr/local/bin/bzcat
|
| =IN security summary for 10/06/01: 58a59
| > 2547533 ---s--x--x 1 Broot wheel 83004 Sep 26 21:42:25 2001
| /usr/local/bin/sudo
Again, sudo is not installed in FreeBSD by default. Did you install it
from the ports? BTW how many people have access to your box?
Sudo is used for running privileged commands. If you did not install it
then think again.
In my case, I use sudo daily but whatever i do I always see in /var/log/messages.
Does yours show any?
| =IN /var/log/messages:
| messages:Oct 6 14:01:00 P7 login: LOGIN l-x REFUSED (ACCESS) FROM
| 212.199.120.9
| 8 ON TTY ttyp0
| messages:Oct 6 14:01:21 P7 login: LOGIN l-x REFUSED (ACCESS) FROM
| 212.199.120.9
| 8 ON TTY ttyp0
That is now it. The hacker logged in, created user l-x, erased his tracks
from adduser.log and now is attempting login from 212.199.120.9 - you see?
|
| =IN setuid.today I see a LOT of entries, even though I haven't been
| doing anything. For example:
| 4515661 -rwsr-xr-x 1 Broot news 7347 Apr 18 20:45:13 2001
| /usr/local/news /bin/auth/passwd/ckpasswd
Okay, I don't know of any "Broot" in FreeBSD and neither does FreeBSD have
/bin/auth/ - man format your box asap and reinstall. You were hacked.
You will remember that as soon as you complete to install a system, always
check /etc/inetd.conf and disable any service you don't need. Then go into
/etc/hosts.allow and ONLY allow hosts from your LAN to access those services
you decide to run, with the exception of the MTA (for the time being though).
| 4150643 -r-sr-x--- 1 Broot news 32202 Apr 18 20:44:09 2001
| /usr/local/news /bin/inndstart
I don't know of this /bin/inndstart - might be a back orifice thingy!!!
| =NOTE: I found my my /var/log/security EMPTY
| =VERSION: FreeBSD 4.3-RELEASE (GENERIC) #0: Sat Apr 21 10:54:49 GMT 2001
That is fine. Mine is also empty. Normally firewall programs log into that
file.
| ===COMMENTS===
| I know I was NOT doing anything on 09/27/01, 10/06/01 or any of the days
| in question, so I know it wasn't me. I do not allow ANY accounts on our
| server other than my own, and I do not use passwords that I use anywhere
| else.
I have said all I can say, for now ;-)
| ===QUESTIONS===
| Forgive me if this is overwhelming, I have no idea what else to do but
| ask questions. I have browsed around the usual resources but I am asking
| these question in context of above, not in general really.
|
| Is it normal for /var/log/security to be empty?
YES
| Is it normal to have lots of entries in setuid.today (ie: is it caused
| by general server activity)?
If you install those apps.
| Any suggestions of what logs/places I should check next to find out WHAT
| has been done to my system and what it was used for? (ie: a connection
| log to see when this hacker was connecting, if it exists).
You already saw it.
I sincerely believe you should format that disk and resinstall.
Someone else might have a diff opinion.
-Wash
S y s t e m s A d m i n i s t r a t o r
--
~\\_
Odhiambo Washington \\\\
Wananchi Online Ltd., `\\\\\
1st Flr Loita Hse, Loita Street |\\\\\
PO Box 10286,00100-NAIROBI,KE. \\\\\|__.--~~\
Fax: 254 2 313985-9 _--~ /
Fax: 254 2 313922 /~ ////// _-~~~~'
E-mail: wash@wananchi.com ('-//////-//
URL : http://www.wananchi.com //////(((-)
GSM: 254 72 743 223 / 254 733 744 121 /////"
_///"
+++
Be prepared... that's the Boy Scout's solemn creed.
Be prepared... to be clean in word and deed.
Don't solicit for your sister, that's not nice,
Unless you get a good percentage of her price ...
-- Tom Lehrer
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011018165057.V3734>