Date: Thu, 18 Oct 2001 18:05:13 +0300 From: Odhiambo Washington <wash@wananchi.com> To: Tomek <tomek@mpionline.com> Cc: FBSD-Q <freebsd-questions@freebsd.org> Subject: Re: I got hacked, I think Message-ID: <20011018180513.C3734@ns2.wananchi.com> In-Reply-To: <01e701c157e4$f012abc0$f6f073d1@mpionline.com> References: <20011018131823.Y621-100000@jodie.ncptiddische.net> <011e01c157cf$9b401700$f6f073d1@mpionline.com> <20011018165057.V3734@ns2.wananchi.com> <01e701c157e4$f012abc0$f6f073d1@mpionline.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Zs/RYxT/hKAHzkfQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
* Tomek <tomek@mpionline.com> [20011018 17:54]: writing on the subject 'Re:=
I got hacked, I think'
| > Hmm, are you saying you know absolutely NOTHING about user l-x ???
| Correct, I do not give ANYONE access at ANY level to our system. I am
| the only user and I only allow telnet access from localhost and a few
| other in-house computers. No one except myself is allowed near the
| servers.
Hmm.
| > Aha, you've _never_ even tried useradd??? useradd is not a FreeBSD
| command but
| Useradd isn't the comment, its just the description written to logs. I
| am not a Linux user, I am only a FreeBSD (and Windows unfortunately)
| user, nothing else for me.
So you were hacked still, if you didn't try that.
| > Again, sudo is not installed in FreeBSD by default. Did you install it
| No I never install useless programs that I dont know about. As I
| mentioned, I wasn't even using the server on the days they were
| installed (I keep extensive logs of what I personally do each day). So
| clearly someone found a way to install "sudo".
Yes.
| > In my case, I use sudo daily but whatever i do I always see in
| /var/log/messages.
| What would "sudo" logs contain? grep shows nothing under "sudo".
Like these:
Oct 17 17:00:51 ns2 sudo: wash : TTY=3Dttyp0 ; PWD=3D/home/wash ; USER=
=3Droot ; COMMAND=3D/usr/bin/ee /etc/namedb/flexopac.com
Oct 17 17:01:01 ns2 sudo: wash : TTY=3Dttyp0 ; PWD=3D/home/wash ; USER=
=3Droot ; COMMAND=3D/usr/bin/ee /etc/namedb/flexopak.com
Oct 17 17:01:31 ns2 sudo: wash : TTY=3Dttyp0 ; PWD=3D/home/wash ; USER=
=3Droot ; COMMAND=3D/usr/sbin/ndc reload
| > That is now it. The hacker logged in, created user l-x, erased his trac=
ks
| > from adduser.log and now is attempting login from 212.199.120.9 - you s=
ee?
| Here is where my questions come to play. I see generally what is
| happening, I also see l-x failed to login, and I also see that this
| hacker is STILL (even 1 hour ago) trying to anonymous login but gets
| refused. If he has access, then why is he still trying to anonymous
| login? (unless its a different hacker/robot that is getting no where).
Maybe someone walked onto your machine, rebooted into single user mode,
did everything he wanted as root then walked away and expected that now sin=
ce
he's punched enough holes, he can just telnet from wherever.....
| What REALLY caught me off guard is you saying "Broot" is unknown, Broot
| user was there from the moment I installed FreeBSD and google search
| shows it everywhere, so I'm not worried about that even though my old
| version of FreeBSD didn't have a Broot.
Hmm, where do I find this Broot in my system. I run FreeBSD 4.4 in all my
systems.
| > /bin/auth/ - man format your box asap and reinstall. You were hacked.
| /usr/local/news/bin/auth/passwd/ckpasswd was the full pathname.
There is no such path in my boxes. Maybe because I have not installed any n=
ews
apps???? Maybe someone is hiding those apps in there??
| My goal is NOT to just delete the system, that would be crazy. It seems
| I have been COMPLETELY hacked, inside and out, and I have to know where
| the leak was or I might end up in same position again. I am leaving
| everything as is except I have installed several logging programs to try
| and see WHAT this person is doing, from that I will know what damage may
| have been done.
Okay. Tripwire could have helped. I haven't ran it either but I wish you lu=
ck.
I hope the hacker doesn't wreck havoc.
| =3D=3D=3D
| It appears most of the files and have chmod "s" run on them, not sure
| what that means but I'll check shortly.... its SOO aggrivating to be
| sitting here KNOWING someone is hacking me and be forced to wait and try
| and find out what they are doing... risky too.
's' is the setuid bit on a file - makes it run with root privileges.
-Wash
S y s t e m s A d m i n i s t r a t o r
--
~\\_ =20
Odhiambo Washington \\\\ =20
Wananchi Online Ltd., `\\\\\ =20
1st Flr Loita Hse, Loita Street |\\\\\ =20
PO Box 10286,00100-NAIROBI,KE. \\\\\|__.--~~\ =20
Fax: 254 2 313985-9 _--~ / =20
Fax: 254 2 313922 /~ ////// _-~~~~' =20
E-mail: wash@wananchi.com ('-//////-// =20
URL : http://www.wananchi.com //////(((-) =20
GSM: 254 72 743 223 / 254 733 744 121 /////" =20
_///" =20
+++
"He's not pining, he's passed on! This parrot won't squawk! He's
ceased to be! He's expired, and gone to meet his maker! It's a
stiff! No breath of life, he may rest in peace! If you hadn't nailed
him to the perch, he'd be pushing up the daisies! He's off the twig!
He's kicked the bucket! He's curled up his tooties! He's shuffled off
this mortal world! He's run down the curtain, and joined the bleed'n
Choir Invincible! HE'S FUCKING SNUFFED IT! Vis-a-vi his metabolic
processes is head is lost. All statements concerning this parrot is no
longer a going concern, after from now on, Inoperative...
THIS IS AN EX-PARROT!!"
--Zs/RYxT/hKAHzkfQ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7zu+pn7LIsuxjem8RAoLsAKCX65rJRGrhy+Hii0vXfm2G+A+3igCfcwfu
FWBTSRBZbMs0hzQpn6BRh4U=
=1lDa
-----END PGP SIGNATURE-----
--Zs/RYxT/hKAHzkfQ--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011018180513.C3734>