From owner-freebsd-security@FreeBSD.ORG Thu Dec 16 13:09:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BF8616A4CE; Thu, 16 Dec 2004 13:09:15 +0000 (GMT) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AEFC43D48; Thu, 16 Dec 2004 13:09:11 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.43 (FreeBSD)) id 1Ceuow-000773-07; Thu, 16 Dec 2004 20:33:26 +0800 Message-Id: <6.2.0.14.2.20041216195558.030b0eb0@202.179.0.80> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Thu, 16 Dec 2004 20:31:05 +0800 To: freebsd-security@freebsd.org From: Ganbold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-hackers@freebsd.org Subject: Strange command histories in hacked shell server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2004 13:09:15 -0000 Hi, Sorry for cross posting. I have with FreeBSD 5.3-stable server which serves as a public shell server. FreeBSD public.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Nov 24 15:55:36 ULAT 2004 tsgan@public.ub.mng.net:/usr/obj/usr/src/sys/PSH i386 It has ssh and proftp-1.2.10 daemons. However it was hacked and I'm trying to analyze it and having some difficulties. Machine is configured in such way that everyone can create an account itself. Some user dir permissions: ... drwxr-xr-x 2 root wheel 512 Mar 29 2004 new drwx------ 3 tamiraad unix 512 Apr 9 2004 tamiraad drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix ... User should log on as new with password new to create an account. Accounting is enabled and kern.securelevel is set to 2. Only one account 'tsgan' is in wheel group and only tsgan gan become root using su. Following is the some strange output from grave-robber (coroner toolkit): ... Dec 13 04 20:18:40 5 m.c -rw-rw---- tugstugi smmsp /var/spool/clientmqueue/dfiBDCIeD0001529 Dec 13 04 20:34:58 512 m.. drwx------ tugstugi unix /home/tugstugi Dec 13 04 20:35:57 512 ..c drwx------ tugstugi unix /home/tugstugi Dec 14 04 00:19:56 0 m.c -rw-rw-rw- tugstugi unix /home/tugstugi/.myrc Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi unix /home/tsgan/.tmp/known_hosts 9665 m.c -rw-r--r-- tugstugi unix /home/tugstugi/.ssh/known_hosts Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi unix /home/tugstugi/.shrc ... Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to home/tsgan/.tmp/known_hosts. I don't know why. Following is lastcomm output: ... sshd -F tugstugi __ 0.16 secs Tue Dec 14 23:01 sh - tugstugi #C:5:0x1 0.03 secs Tue Dec 14 23:02 su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 23:38 ... sshd -F tugstugi __ 0.08 secs Tue Dec 14 22:41 sh - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 22:41 who - tugstugi #C:5:0x1 0.00 secs Tue Dec 14 22:52 su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 22:48 sh - tsgan #C:5:0x1 0.00 secs Tue Dec 14 22:48 ls - tsgan #C:5:0x1 0.00 secs Tue Dec 14 22:52 su - tsgan #C:5:0x1 0.02 secs Tue Dec 14 22:49 csh - root #C:5:0x1 0.03 secs Tue Dec 14 22:49 ... In above I think he already hijacked my account and root password so he used su to become root. sshd -F tsgan __ 0.02 secs Tue Dec 14 00:27 sh - tsgan ttyp0 0.02 secs Tue Dec 14 00:27 cat - tsgan ttyp0 0.00 secs Tue Dec 14 00:28 su - tsgan ttyp0 0.00 secs Tue Dec 14 00:28 sleep - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 ^^^^^^ stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 ^^^^^^ fortune - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 ... I don't quite understand why he used sleep and stty commands in above. My suspect is tty hijacking. Am I right? Correct me if I'm wrong. sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24 stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24 stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24 ... id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24 sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24 stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24 stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24 id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24 cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:24 ls - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:24 su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 00:23 sh - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:23 su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 00:23 cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 sleep - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 fortune - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 ... One more strange thing is "#C:5:0x2". What is this? Again I'm suspecting that, this guy hijacked my tty and got tsgan and then he could log my keystroke and get root password. Am I right? Please give me some advice and info regarding this kind of hack. What should I do in order to secure my shell server? I mean except securelevel, unneeded services etc. Can somebody give me some hints on file and directory permissions? Is there anybody who has similar server config and already had such issues and problems? I appreciate very much if somebody will help me in this regard. thanks in advance, Ganbold From owner-freebsd-security@FreeBSD.ORG Thu Dec 16 16:27:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEDD916A4CF for ; Thu, 16 Dec 2004 16:27:08 +0000 (GMT) Received: from smtp814.mail.sc5.yahoo.com (smtp814.mail.sc5.yahoo.com [66.163.170.84]) by mx1.FreeBSD.org (Postfix) with SMTP id 53FD843D5F for ; Thu, 16 Dec 2004 16:27:08 +0000 (GMT) (envelope-from fscked@pacbell.net) Received: from unknown (HELO pacbell.net) (fscked@pacbell.net@66.124.234.76 with plain) by smtp814.mail.sc5.yahoo.com with SMTP; 16 Dec 2004 16:27:08 -0000 Message-ID: <41C1B6A9.5020405@pacbell.net> Date: Thu, 16 Dec 2004 08:24:09 -0800 From: richard childers / kg6hac Organization: Daemonized Networking Services - http://www.daemonized.com User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20041211120120.5204216A4D0@hub.freebsd.org> In-Reply-To: <20041211120120.5204216A4D0@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: re: need some advice on connections logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fscked@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2004 16:27:09 -0000 >Date: Fri, 10 Dec 2004 19:01:59 -0500 >From: Bob Ababurko >Subject: need some advice on connections logs > > >Hello- > >What is the best way to deal with getting logs for someone attacking my >box? I am not really sure, but I think it may involve tcpdump. Is >there any way to implement this so that it can be running before an >attack happens?.....see the problem is, that I do not have physical >access to the box and if it is taken down(unaccessible by remote means), >I cannot log in to start a dump. What can I do in this case, or what >are my options, if I want to have the network connections dumped somehow >with no intervention?....is that a tall order? > >Thanks, >Bob > Bob, I would recommend that, along with the excellent recommendations for logging syslogd(8) output to another machine, that you install a firewall, if this is an option. Although a firewall may not deter the attacks, it is an excellent mechanism for collecting forensic data, IE, the details you need to prosecute the person or persons whom are attacking your system. Consider, for instance, the massive amount of evidence created, in replicate, if every one of your servers has a firewall installed, and someone scans your network; it's difficult for a jury to argue with that sort of detail. You can configure the firewall to log every single connection, separately from accepting or rejecting, so that you can in theory log successful as well as unsuccessful connections. And, yes, if you want to log in even greater detail, you could set up a tcpdump(8) session that ran and collected all network traffic, too, and just leave it running, or turn it into a crontab entry that restarts it every hour, and manages each hour of logs, separately. Naturally, all of this translates into a lot of data, so make sure you have a few gigabytes of space somewhere, ahead of time, and do some back-of-the-envelope calculations to see exactly how much you can accumulate before you need to start deleting logs. For instance, if it turns out that you have enough room to hold 30 days worth of data, in worst-case scenarios involving 7x24 denial-of-service attacks intended to create huge logs, you might want to add another crontab entry cleaning out all logs over 15 days. It's a lot of work but when you are done you will be able to rest much more easily. Good luck! Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com 'A well-schooled electorate, being necessary to the security of a free State, the right of the people to keep and read Books, shall not be infringed.' -- (Attributed to J. Neil Shulman) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.4 (FreeBSD) mQGiBECGpfsRBACoPJJfIIrWAqjlW92TtYCtY//e7OW8alWylr/1ygtSQzjCCdvC Ysa0fCcx01UenlWV+5YY/zC7KPsX2rQUKAs20fqs9et74dmgMGOj0vMjTzWEs29G FyAsIRSpFioa8zzrjXEUVnU6OFaD9a9eaC+LSTCiKgXjbQySDKM5T1c+vwCg8W3Y RZ83LRIUULGMPlY6zS4fQwUEAIIiTHDdWpbE+HeREJwH+4eDpGVf76XtNlOMXrt9 tJ3ExL+9ezLulg1nCrOYodOB7TEZqzV40R7emDZSX0hI9QEBCv6nW5aDVpw/bf+q UEHwxrUvE2LBi35hoqR2QwqNlagOauSorWj8Qm/31luxJVeLVy1A1czp6B/mvG1T co03A/9a5kzEAebJ5TzWXQC2/4gu/osXQnrw9B9FFpYOtLc0MNQuAFt8VLn5yO5Q 8T58w+FQvFI5FqzI5URmjQeEyWWuyIechknk4RnwIO1UPVjgRTuNgf9/TvNNfqpa aVlbNp+AG21D6VqsFN2zJFFJeUqiYdXw6i+ESL3SZRymIhwYWrQ8UmljaGFyZCBB IENoaWxkZXJzICh3d3cuZGFlbW9uaXplZC5jb20pIDxmc2NrZWRAcGFjYmVsbC5u ZXQ+iF4EExECAB4FAkCGpfsCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQjGqW TlNTP66KzQCgjf0SQbiK1rgu7hRsmLPSSaGF7X8AoL7Qw/E9kTZr0fntP0XXEnk/ q6nRuQINBECGpvkQCADFzFq+kYbk+KTIhcVBTjTWDbBnjGgmuGR3LGp9hOd6W9SJ i4GD5184ZnMbEgvDZcDEGDNgMcU+f1girwYI2v/o7QA7VQ5bpUbnfOBytzO+bvd7 uCOyJltg8AG5MFLxfhAMHofpNxGlFTEXdVp4M9xyBB+hdLHbJNJqkMGPf+iCUf1W Q86KncU2AK4Sf9I+WYBZwkjaIhi9dQzeEX1c0Um6LxXSBtkjZprIk1M13gVaIJ6E dDN6hrSMbXZL+7yURw38vHXCtRJAKEOyW178rI8MzJzvVNhobvC62uEWD9Idz8sH 5A06fqb2fKJYLQ1keGUpb/qpny7oTmAe0Hx9jOM7AAMGCACdTe1M4U++/7/OVGip 1gnWEtMhHeQQbS7KPh1w8/1kvs5Mml6uGYQI44lKTDP7OHJQ9hIT/+5tfKPHIPhU M/7Mqa8y81c/AK+WUOyY9+uZ0zUxFGMqeU9z5iqJFWSi9QR/f5q/khfmqi5RFVyQ nnVhxBMB8pY1vZHV1CoL7NLK4c/N8mpwCiZ57LTsP8pLfDMWF/OopmM2ulzlfWTr anAdxQohenq/zTgSySX/VGZYSYvyAoXTRuU4USAVGWcUQPnVooA1N7lZP3pawjNP QMSukx9jI1673BPsPXxyQZ1PmmPt9eHKI0G0hNJG+FCmSRLNT/R7hqTzTUmpgMWM yyWPiEkEGBECAAkFAkCGpvkCGwwACgkQjGqWTlNTP642KACeITHq0b42P3oMX7Nj F5U3EaqCgYoAn3HxUB7ELB6vMUugW4aSmZpBJOR6 =ZaJO -----END PGP PUBLIC KEY BLOCK----- From owner-freebsd-security@FreeBSD.ORG Fri Dec 17 14:53:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFF8A16A4CE for ; Fri, 17 Dec 2004 14:53:19 +0000 (GMT) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03B3C43D39 for ; Fri, 17 Dec 2004 14:53:19 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.12.11/8.13.1) with ESMTP id iBHErFgE080838 for ; Fri, 17 Dec 2004 09:53:15 -0500 (EST) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.11/8.13.1/Submit) id iBHErF3p080837 for freebsd-security@freebsd.org; Fri, 17 Dec 2004 09:53:15 -0500 (EST) (envelope-from bv) Date: Fri, 17 Dec 2004 09:53:15 -0500 From: Bill Vermillion To: freebsd-security@freebsd.org Message-ID: <20041217145315.GB68582@wjv.com> References: <20041217120138.7A89116A4D2@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041217120138.7A89116A4D2@hub.freebsd.org> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.6i X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on bilver.wjv.com Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bv@wjv.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 14:53:19 -0000 > Message: 1 > Date: Thu, 16 Dec 2004 20:31:05 +0800 > From: Ganbold > Subject: Strange command histories in hacked shell server Just a minor comment on one portion of your message. [All deleted except the pertinent part - wjv] > Machine is configured in such way that everyone can create an account itself. > Some user dir permissions: > ... > drwxr-xr-x 2 root wheel 512 Mar 29 2004 new > drwx------ 3 tamiraad unix 512 Apr 9 2004 tamiraad > drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan > drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi > drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix > ... > User should log on as new with password new to create an account. > Accounting is enabled and kern.securelevel is set to 2. Only one > account 'tsgan' is in wheel group and only tsgan gan become root > using su. I've asked others before and never got a real answer on the design of 'su' which to my way of thinking has a security hold that shold be fixed. su checks the EUID of the user to see if they are in 'wheel' to enable them to su to root. It would seem to me it should use the UID. In your case if the 'tsgan' account does not have a secure password, and some breaches the 'tsgan' account in any manner, such as a SUID tsgan as I see it, then that user who cracked the 'tsgan' account can su to root. So in your case there is the possibility that someone else su'ed to 'tsgan' and then su'ed to root. Can anyone explain why su does not use the UID from the login instead of the EUID ? It strikes me as a security hole, but I'm no security expert so explanations either way would be welcomed. Bill -- Bill Vermillion - bv @ wjv . com From owner-freebsd-security@FreeBSD.ORG Fri Dec 17 15:03:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E41A416A4CE for ; Fri, 17 Dec 2004 15:03:25 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 5BC3043D1F for ; Fri, 17 Dec 2004 15:03:25 +0000 (GMT) (envelope-from sirmoo@cowbert.net) Received: (qmail 22848 invoked by uid 1001); 17 Dec 2004 15:03:24 -0000 Date: Fri, 17 Dec 2004 10:03:24 -0500 From: "Peter C. Lai" To: Bill Vermillion Message-ID: <20041217150324.GE1331@cowbert.net> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041217145315.GB68582@wjv.com> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 15:03:26 -0000 I thought on BSD, there was no distinction between euid and uid. If you login as user 'foo', and su to 'bar', your uid is bar and you gain all of "bar"'s privs. On Fri, Dec 17, 2004 at 09:53:15AM -0500, Bill Vermillion wrote: > > Message: 1 > > Date: Thu, 16 Dec 2004 20:31:05 +0800 > > From: Ganbold > > Subject: Strange command histories in hacked shell server > > Just a minor comment on one portion of your message. > > [All deleted except the pertinent part - wjv] > > > Machine is configured in such way that everyone can create an account itself. > > Some user dir permissions: > > ... > > drwxr-xr-x 2 root wheel 512 Mar 29 2004 new > > drwx------ 3 tamiraad unix 512 Apr 9 2004 tamiraad > > drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan > > drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi > > drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix > > ... > > User should log on as new with password new to create an account. > > > Accounting is enabled and kern.securelevel is set to 2. Only one > > account 'tsgan' is in wheel group and only tsgan gan become root > > using su. > > I've asked others before and never got a real answer on the design > of 'su' which to my way of thinking has a security hold that shold > be fixed. > > su checks the EUID of the user to see if they are in 'wheel' to > enable them to su to root. It would seem to me it should > use the UID. > > In your case if the 'tsgan' account does not have a secure > password, and some breaches the 'tsgan' account in any manner, such > as a SUID tsgan as I see it, then that user who cracked the 'tsgan' > account can su to root. > > So in your case there is the possibility that someone else > su'ed to 'tsgan' and then su'ed to root. > > Can anyone explain why su does not use the UID from the login > instead of the EUID ? It strikes me as a security hole, but I'm no > security expert so explanations either way would be welcomed. > > Bill > > > -- > Bill Vermillion - bv @ wjv . com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Fri Dec 17 15:36:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE47E16A4CE for ; Fri, 17 Dec 2004 15:36:33 +0000 (GMT) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 628C943D5E for ; Fri, 17 Dec 2004 15:36:33 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.12.11/8.13.1) with ESMTP id iBHFaUZn081485 for ; Fri, 17 Dec 2004 10:36:30 -0500 (EST) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.11/8.13.1/Submit) id iBHFaTqi081484 for freebsd-security@freebsd.org; Fri, 17 Dec 2004 10:36:29 -0500 (EST) (envelope-from bv) Date: Fri, 17 Dec 2004 10:36:29 -0500 From: Bill Vermillion To: freebsd-security@freebsd.org Message-ID: <20041217153629.GD68582@wjv.com> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <20041217150324.GE1331@cowbert.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041217150324.GE1331@cowbert.net> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.6i X-Spam-Status: No, score=-2.2 required=5.0 tests=ALL_TRUSTED,URIBL_SBL autolearn=failed version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on bilver.wjv.com Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bv@wjv.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 15:36:34 -0000 "Ang utong ko ay sasabog sa sarap!" exclaimed Peter C. Lai while reading this message on Fri, Dec 17, 2004 at 10:03 and then responded with: > I thought on BSD, there was no distinction between euid and uid. If you login > as user 'foo', and su to 'bar', your uid is bar and you gain all of "bar"'s > privs. > And why should it be that way? It seems that in this day of security this isn't the most securre way of doing things. I never did get an answer in the past as to why this is still being done this way. You explanation is exactly the way it work, and it just seems wrong to me. > On Fri, Dec 17, 2004 at 09:53:15AM -0500, Bill Vermillion wrote: > > > Message: 1 > > > Date: Thu, 16 Dec 2004 20:31:05 +0800 > > > From: Ganbold > > > Subject: Strange command histories in hacked shell server > > > > Just a minor comment on one portion of your message. > > > > [All deleted except the pertinent part - wjv] > > > > > Machine is configured in such way that everyone can create an account itself. > > > Some user dir permissions: > > > ... > > > drwxr-xr-x 2 root wheel 512 Mar 29 2004 new > > > drwx------ 3 tamiraad unix 512 Apr 9 2004 tamiraad > > > drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan > > > drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi > > > drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix > > > ... > > > User should log on as new with password new to create an account. > > > > > Accounting is enabled and kern.securelevel is set to 2. Only one > > > account 'tsgan' is in wheel group and only tsgan gan become root > > > using su. > > > > I've asked others before and never got a real answer on the design > > of 'su' which to my way of thinking has a security hold that shold > > be fixed. > > > > su checks the EUID of the user to see if they are in 'wheel' to > > enable them to su to root. It would seem to me it should > > use the UID. > > > > In your case if the 'tsgan' account does not have a secure > > password, and some breaches the 'tsgan' account in any manner, such > > as a SUID tsgan as I see it, then that user who cracked the 'tsgan' > > account can su to root. > > > > So in your case there is the possibility that someone else > > su'ed to 'tsgan' and then su'ed to root. > > > > Can anyone explain why su does not use the UID from the login > > instead of the EUID ? It strikes me as a security hole, but I'm no > > security expert so explanations either way would be welcomed. > > > > Bill > > > > > > -- > > Bill Vermillion - bv @ wjv . com > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- > Peter C. Lai > University of Connecticut > Dept. of Molecular and Cell Biology > Yale University School of Medicine > SenseLab | Research Assistant > http://cowbert.2y.net/ > -- Bill Vermillion - bv @ wjv . com From owner-freebsd-security@FreeBSD.ORG Fri Dec 17 15:51:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D2C216A4CE for ; Fri, 17 Dec 2004 15:51:38 +0000 (GMT) Received: from stelesys.com (web1.stelesys.com [63.175.100.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id D412043D2D for ; Fri, 17 Dec 2004 15:51:37 +0000 (GMT) (envelope-from jerry@syslog.org) Received: from [127.0.0.1] (helo=www.stelesys.com) by stelesys.com with esmtpa (Exim 4.43 (FreeBSD)) id 1CfKOF-000OVC-4G for freebsd-security@freebsd.org; Fri, 17 Dec 2004 10:51:35 -0500 Received: from 209.134.164.137 (SquirrelMail authenticated user jerry@syslog.org); by www.stelesys.com with HTTP; Fri, 17 Dec 2004 10:51:35 -0500 (EST) Message-ID: <2641.209.134.164.137.1103298695.squirrel@209.134.164.137> Date: Fri, 17 Dec 2004 10:51:35 -0500 (EST) From: "Jerry Bell" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: re: Strange command histories in hacked shell server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 15:51:38 -0000 Did I understand correctly, that anyone can connect to the shell server and create an account for themselves? I have a somewhat rudimentry hardening guide for FreeBSD at http://www.syslog.org/Content-5-4.phtml I've tried to keep it up-to-date, but I have yet to incorporate MAC, which I think will help out a good bit more. I hope you find this a useful. Jerry http://www.syslog.org Ganbold micom.mng.net> wrote: >Please give me some advice and info regarding this kind of hack. >What should I do in order to secure my shell server? I mean except >securelevel, unneeded services etc. >Can somebody give me some hints on file and directory permissions? >Is there anybody who has similar server config and already had such issues >and problems? From owner-freebsd-security@FreeBSD.ORG Fri Dec 17 16:08:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24EAA16A4CE for ; Fri, 17 Dec 2004 16:08:36 +0000 (GMT) Received: from krichy.tvnetwork.hu (krichy.TvNetWork.Hu [80.95.68.194]) by mx1.FreeBSD.org (Postfix) with SMTP id 90DA343D53 for ; Fri, 17 Dec 2004 16:08:34 +0000 (GMT) (envelope-from krichy@tvnetwork.hu) Received: (qmail 2419 invoked by uid 1000); 17 Dec 2004 16:08:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Dec 2004 16:08:33 -0000 Date: Fri, 17 Dec 2004 17:08:33 +0100 (CET) From: Richard Kojedzinszky To: Jerry Bell In-Reply-To: <2641.209.134.164.137.1103298695.squirrel@209.134.164.137> Message-ID: References: <2641.209.134.164.137.1103298695.squirrel@209.134.164.137> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: re: Strange command histories in hacked shell server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 16:08:36 -0000 DEar all, if you do su, uid and euid changes together. but when you issue passwd, a setuid root, uid remains your uid, that is where passwd knows who is executing him. Kojedzinszky Richard TvNetWork Rt. E-mail: krichy@tvnetwork.hu PGP: 0x24E79141 Fingerprint = 6847 ECFF EF58 0C09 18A5 16CF 270F 0C6F 24E7 9141 On Fri, 17 Dec 2004, Jerry Bell wrote: > Did I understand correctly, that anyone can connect to the shell server > and create an account for themselves? > > I have a somewhat rudimentry hardening guide for FreeBSD at > http://www.syslog.org/Content-5-4.phtml > I've tried to keep it up-to-date, but I have yet to incorporate MAC, which > I think will help out a good bit more. > > I hope you find this a useful. > > Jerry > http://www.syslog.org > > Ganbold micom.mng.net> wrote: > >Please give me some advice and info regarding this kind of hack. > >What should I do in order to secure my shell server? I mean except > >securelevel, unneeded services etc. > >Can somebody give me some hints on file and directory permissions? > >Is there anybody who has similar server config and already had such issues > >and problems? > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 02:11:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11E4E16A4CE for ; Sat, 18 Dec 2004 02:11:33 +0000 (GMT) Received: from pop-a065c32.pas.sa.earthlink.net (pop-a065c32.pas.sa.earthlink.net [207.217.121.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5BDC43D1F for ; Sat, 18 Dec 2004 02:11:32 +0000 (GMT) (envelope-from mnsan11@earthlink.net) Received: from h-68-164-10-138.chcgilgm.dynamic.covad.net ([68.164.10.138] helo=earthlink.net) by pop-a065c32.pas.sa.earthlink.net with esmtp (Exim 3.33 #1) id 1CfU4B-0003MB-00; Fri, 17 Dec 2004 18:11:31 -0800 Message-ID: <41C391BE.3030604@earthlink.net> Date: Fri, 17 Dec 2004 20:11:10 -0600 From: Elvedin Trnjanin User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: bv@wjv.com References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> In-Reply-To: <20041217145315.GB68582@wjv.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 02:11:33 -0000 Bill Vermillion wrote: > >Can anyone explain why su does not use the UID from the login >instead of the EUID ? It strikes me as a security hole, but I'm no >security expert so explanations either way would be welcomed. > >Bill > > > > Because su does exactly what is says. From the manual - DESCRIPTION *su* requests the password for /login/ and switches to that user and group ID after obtaining proper authentication. Just for fun, here's an little snippet from the sudo manual - DESCRIPTION *sudo* allows a permitted user to execute a /command/ as the superuser or another user, as specified in the /sudoers/ file. The real and effective uid and gid are set to match those of the target user as specified in the passwd file and the group vector is initialized based on blah blah blah... -- --- ---- http://www.ods.org From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 02:26:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6949416A4CE for ; Sat, 18 Dec 2004 02:26:00 +0000 (GMT) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B36243D46 for ; Sat, 18 Dec 2004 02:25:58 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.12.11/8.13.1) with ESMTP id iBI2PuBB085230 for ; Fri, 17 Dec 2004 21:25:56 -0500 (EST) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.11/8.13.1/Submit) id iBI2PudV085229 for freebsd-security@freebsd.org; Fri, 17 Dec 2004 21:25:56 -0500 (EST) (envelope-from bv) Date: Fri, 17 Dec 2004 21:25:56 -0500 From: Bill Vermillion To: freebsd-security@freebsd.org Message-ID: <20041218022556.GA85192@wjv.com> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41C391BE.3030604@earthlink.net> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.6i X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on bilver.wjv.com Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bv@wjv.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 02:26:00 -0000 Deep in the forest in the dark of night on Fri, Dec 17, 2004 at 20:11 with a cackle and an evil grin Elvedin Trnjanin cast another eye of newt into the brew and chanted: > Bill Vermillion wrote: > > >Can anyone explain why su does not use the UID from the login > >instead of the EUID ? It strikes me as a security hole, but I'm no > >security expert so explanations either way would be welcomed. > Because su does exactly what is says. From the manual - > > DESCRIPTION > > *su* requests the password for /login/ and switches to that user and > group ID > after obtaining proper authentication. > I understand that after using Unix for about 2 decades. However in FreeBSD a user is supposed to be in the wheel group [if it exists] to be able to su to root. But if a person who is not in wheel su's to a user who is in wheel, then they can su to root - as the system sees them as the other user. This means that the 'wheel' security really is nothing more than a 2 password method to get to root. If the EUID of the orignal invoker is checked, even if they su'ed to a person in wheel, then they should not be able to su to root. I'm asking why is this permitted, or alternatively why is putting a user in the wheel group supposed to make things secure, when in reality it just makes it seem more secure - as there is only one more password to crack. > DESCRIPTION > > *sudo* allows a permitted user to execute a /command/ as the superuser > or another user, as specified in the /sudoers/ file. The real and > effective uid and gid are set to match those of the target user as > specified in the passwd file and the group vector is initialized based > on blah blah blah... And I use this for about two people who need extra levels to do certain things for their web sites. Bill -- Bill Vermillion - bv @ wjv . com From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 03:21:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF8C416A4CE for ; Sat, 18 Dec 2004 03:21:54 +0000 (GMT) Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D1FE43D58 for ; Sat, 18 Dec 2004 03:21:54 +0000 (GMT) (envelope-from scott@g-it.ca) Received: from [70.64.67.217] (S0106000393801c60.ss.shawcable.net [70.64.67.217]) by blue.gerhardt-it.com (Postfix) with ESMTP id 2121EFDC0; Fri, 17 Dec 2004 21:21:52 -0600 (CST) In-Reply-To: <20041218022556.GA85192@wjv.com> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Scott Gerhardt Date: Fri, 17 Dec 2004 21:21:51 -0600 To: bv@wjv.com X-Mailer: Apple Mail (2.619) cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 03:21:55 -0000 > I understand that after using Unix for about 2 decades. > However in FreeBSD a user is supposed to be in the wheel group [if > it exists] to be able to su to root. > > But if a person who is not in wheel su's to a user who is in wheel, > then they can su to root - as the system sees them as the other > user. This means that the 'wheel' security really is nothing more > than a 2 password method to get to root. > > If the EUID of the orignal invoker is checked, even if they su'ed > to a person in wheel, then they should not be able to su to root. > > I'm asking why is this permitted, or alternatively why is putting a > user in the wheel group supposed to make things secure, when in > reality it just makes it seem more secure - as there is only one > more password to crack. > This makes no sense. If you can su to a user in the wheel group as an unprivileged user you need to know the users password and you also need to know roots password to su to root. This seems pretty secure to me. If you want to be more secure than this then use sudo. -- Scott From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 04:14:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5919E16A4CE for ; Sat, 18 Dec 2004 04:14:24 +0000 (GMT) Received: from pop-a065d01.pas.sa.earthlink.net (pop-a065d01.pas.sa.earthlink.net [207.217.121.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C7AC43D2D for ; Sat, 18 Dec 2004 04:14:24 +0000 (GMT) (envelope-from mnsan11@earthlink.net) Received: from h-68-164-10-138.chcgilgm.dynamic.covad.net ([68.164.10.138] helo=earthlink.net) by pop-a065d01.pas.sa.earthlink.net with esmtp (Exim 3.33 #1) id 1CfVyy-0001Ob-00; Fri, 17 Dec 2004 20:14:16 -0800 Message-ID: <41C3AE7B.2040002@earthlink.net> Date: Fri, 17 Dec 2004 22:13:47 -0600 From: Elvedin Trnjanin User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: bv@wjv.com References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> In-Reply-To: <20041218022556.GA85192@wjv.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 04:14:24 -0000 Bill Vermillion wrote: > I understand that after using Unix for about 2 decades. > >However in FreeBSD a user is supposed to be in the wheel group [if >it exists] to be able to su to root. > >But if a person who is not in wheel su's to a user who is in wheel, >then they can su to root - as the system sees them as the other >user. > >This means that the 'wheel' security really is nothing more >than a 2 password method to get to root. > > > Precisely. If you don't like this then the way around is to only allow a certain group access to su and none for everyone else. >If the EUID of the orignal invoker is checked, even if they su'ed >to a person in wheel, then they should not be able to su to root. > >I'm asking why is this permitted, or alternatively why is putting a >user in the wheel group supposed to make things secure, when in >reality it just makes it seem more secure - as there is only one >more password to crack. > > One more password to crack is more time which means a better chance of catching the cracker in the act. Although I don't know why exactly the authors of su did that the way they did but my first and best guess would be convenience. The two password method is better than a new login session each time you want to get to root. Second best guess would be is that they didn't figure out that issue or at least think much of it. -- --- Elvedin Trnjanin http://www.ods.org From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 07:14:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 928A716A4CE for ; Sat, 18 Dec 2004 07:14:47 +0000 (GMT) Received: from mail.nativenerds.com (host-70-0-111-24.midco.net [24.111.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3EE543D1D for ; Sat, 18 Dec 2004 07:14:46 +0000 (GMT) (envelope-from estover@nativenerds.com) Received: from red (host-14-37-230-24.midco.net [24.230.37.14]) iBI7KpiS077261; Sat, 18 Dec 2004 00:20:51 -0700 (MST) (envelope-from estover@nativenerds.com) From: Ed Stover To: Elvedin Trnjanin , bv@wjv.com In-Reply-To: <41C3AE7B.2040002@earthlink.net> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> <41C3AE7B.2040002@earthlink.net> Content-Type: text/plain Organization: Native Nerds Date: Sat, 18 Dec 2004 00:14:39 -0700 Message-Id: <1103354079.16723.6.camel@red.nativenerds.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail.nativenerds.com cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: estover@nativenerds.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 07:14:47 -0000 I like the idea of being able to allow certain users to ability to utilize one privileged task while not granting that user the ability to really do damage on a system. And yes I believe that a user will exist in wheel when he/she/it has the knowledge and skills needed for accountability. Yes (I sense it coming), I also believe that properly utilizing the user and group functions on a FreeBSD machine is really the way it should be done, but what fun can be had with out bells, whistles and nifty programs that do the thinking for us? Personally I don't trust to many to be in my wheel and my favorite practice is # chflags schg files bash-3.00$ sudo echo "woohooIhavekeysforjustrestartingfaileddaemons"| wall &&rm -rf /etc && dd if=/dev/zero of=/var/testfile bs=1024 count=99999999& v.s. bash-3.00# su -l root bash-3.00# echo "woohooIhavekeysforeverything"|wall &&rm -rf /etc && dd if=/dev/zero of=/var/testfile bs=1024 count=99999999& On Fri, 2004-12-17 at 22:13 -0600, Elvedin Trnjanin wrote: > Bill Vermillion wrote: > > > I understand that after using Unix for about 2 decades. > > > >However in FreeBSD a user is supposed to be in the wheel group [if > >it exists] to be able to su to root. > > > >But if a person who is not in wheel su's to a user who is in wheel, > >then they can su to root - as the system sees them as the other > >user. > > > > >This means that the 'wheel' security really is nothing more > >than a 2 password method to get to root. > > > > > > > Precisely. If you don't like this then the way around is to only allow > a > certain group access to su and none for everyone else. > > >If the EUID of the orignal invoker is checked, even if they su'ed > >to a person in wheel, then they should not be able to su to root. > > > >I'm asking why is this permitted, or alternatively why is putting a > >user in the wheel group supposed to make things secure, when in > >reality it just makes it seem more secure - as there is only one > >more password to crack. > > > > > > One more password to crack is more time which means a better chance > of > catching the cracker in the act. Although I don't know why exactly > the > authors of su did that the way they did but my first and best guess > would be convenience. The two password method is better than a new > login > session each time you want to get to root. Second best guess would be > is > that they didn't figure out that issue or at least think much of it. > > -- > --- > Elvedin Trnjanin > http://www.ods.org From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 11:39:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74A3816A4CE for ; Sat, 18 Dec 2004 11:39:05 +0000 (GMT) Received: from mail.telsatgp.com.pl (pa79.pleszew.sdi.tpnet.pl [217.96.180.79]) by mx1.FreeBSD.org (Postfix) with SMTP id 65B3143D41 for ; Sat, 18 Dec 2004 11:39:03 +0000 (GMT) (envelope-from sgp@telsatgp.com.pl) Received: (qmail 50931 invoked from network); 18 Dec 2004 11:39:24 -0000 Received: from slawek.telsatgp.com.pl (HELO Slawek) (sgp@192.168.5.5) by pa79.pleszew.sdi.tpnet.pl with SMTP; 18 Dec 2004 11:39:24 -0000 Message-ID: <014a01c4e4f6$2ed05730$0505a8c0@Slawek> From: "Slawek" To: , References: <20041217120138.7A89116A4D2@hub.freebsd.org><20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> Date: Sat, 18 Dec 2004 12:39:06 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1478 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 FL-Build: Fidolook 2002 (SL) 6.0.2800.86 - 14/6/2003 22:16:25 X-Organisation: Telsat GP Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 11:39:05 -0000 Hello! In message to sent Fri, 17 Dec 2004 21:25:56 -0500 you wrote: BV> I understand that after using Unix for about 2 decades. BV> However in FreeBSD a user is supposed to be in the wheel group [if BV> it exists] to be able to su to root. BV> But if a person who is not in wheel su's to a user who is in wheel, BV> then they can su to root - as the system sees them as the other BV> user. This means that the 'wheel' security really is nothing more BV> than a 2 password method to get to root. BV> If the EUID of the orignal invoker is checked, even if they su'ed BV> to a person in wheel, then they should not be able to su to root. You can block access to su for untrusted users. Although keep in mind that attackers would still be able to log in to cracked wheel UID using ssh and then su to root - it still doesn't need anything more that the same two passwords. You can disable password logins for wheel UIDs at all and log in using certificates. -- Slawomir Piotrowski From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 11:45:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A130F16A4CE for ; Sat, 18 Dec 2004 11:45:57 +0000 (GMT) Received: from brainbox.winbot.co.uk (cpc2-mapp3-6-0-cust221.nott.cable.ntl.com [81.101.250.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 180B243D2D for ; Sat, 18 Dec 2004 11:45:57 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from synapse.brainbox.winbot.co.uk ([10.0.0.2] helo=[192.168.1.10]) by brainbox.winbot.co.uk with esmtp (Exim 4.24; FreeBSD) id 1Cff1S-00059B-0R; Sat, 18 Dec 2004 13:53:26 +0000 Message-ID: <41C41869.5040408@winbot.co.uk> Date: Sat, 18 Dec 2004 11:45:45 +0000 From: Craig Edwards Organization: Crypt Software User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: estover@nativenerds.com, freebsd-security@freebsd.org References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> <41C3AE7B.2040002@earthlink.net> <1103354079.16723.6.camel@red.nativenerds.com> In-Reply-To: <1103354079.16723.6.camel@red.nativenerds.com> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigCAA4294FED50259A8E2B9872" Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: brain@winbot.co.uk List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 11:45:57 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigCAA4294FED50259A8E2B9872 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit You could change the permissions on the su binary, so that only users in the wheel group can even execute su. that way, when a non-wheel user attempts to su to a user in the wheel group, they simply get permission denied. The idea of chmod'ing your suid binaries is always good in my opinion, and will stop this from happening simply and easily without having to change any code. Ed Stover wrote: > I like the idea of being able to allow certain users to ability to > utilize one privileged task while not granting that user the ability to > really do damage on a system. And yes I believe that a user will exist > in wheel when he/she/it has the knowledge and skills needed for > accountability. Yes (I sense it coming), I also believe that properly > utilizing the user and group functions on a FreeBSD machine is really > the way it should be done, but what fun can be had with out bells, > whistles and nifty programs that do the thinking for us? Personally I > don't trust to many to be in my wheel and my favorite practice is > # chflags schg files > > > bash-3.00$ sudo echo "woohooIhavekeysforjustrestartingfaileddaemons"| > wall &&rm -rf /etc && dd if=/dev/zero of=/var/testfile bs=1024 > count=99999999& > v.s. > bash-3.00# su -l root > bash-3.00# echo "woohooIhavekeysforeverything"|wall &&rm -rf /etc && dd > if=/dev/zero of=/var/testfile bs=1024 count=99999999& > > > > On Fri, 2004-12-17 at 22:13 -0600, Elvedin Trnjanin wrote: > >>Bill Vermillion wrote: >> >> >>>I understand that after using Unix for about 2 decades. >>> >>>However in FreeBSD a user is supposed to be in the wheel group [if >>>it exists] to be able to su to root. >>> >>>But if a person who is not in wheel su's to a user who is in wheel, >>>then they can su to root - as the system sees them as the other >>>user. >>> >> >>>This means that the 'wheel' security really is nothing more >>>than a 2 password method to get to root. >>> >>> >>> >> >>Precisely. If you don't like this then the way around is to only allow >>a >>certain group access to su and none for everyone else. >> >> >>>If the EUID of the orignal invoker is checked, even if they su'ed >>>to a person in wheel, then they should not be able to su to root. >>> >>>I'm asking why is this permitted, or alternatively why is putting a >>>user in the wheel group supposed to make things secure, when in >>>reality it just makes it seem more secure - as there is only one >>>more password to crack. >>> >>> >> >>One more password to crack is more time which means a better chance >>of >>catching the cracker in the act. Although I don't know why exactly >>the >>authors of su did that the way they did but my first and best guess >>would be convenience. The two password method is better than a new >>login >>session each time you want to get to root. Second best guess would be >>is >>that they didn't figure out that issue or at least think much of it. >> >>-- >>--- >>Elvedin Trnjanin >>http://www.ods.org > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- WinBot IRC client developer: http://www.winbot.co.uk ChatSpike - The users network: http://www.chatspike.net InspIRCd - Modular IRC server: http://www.inspircd.org Online RPG Developer: http://www.ssod.org -- --------------enigCAA4294FED50259A8E2B9872 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFBxBhs0k42Wxli/BARAsWJAJ9nU4EOtmofzMNNFB79g/J3PQEevACfbc6p jD7Nw9ND3D8mfat4cJorwC0= =76Ic -----END PGP SIGNATURE----- --------------enigCAA4294FED50259A8E2B9872-- From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 12:18:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1671C16A4CE for ; Sat, 18 Dec 2004 12:18:53 +0000 (GMT) Received: from RbNet.kstu-kai.ru (RbNet.kstu-kai.ru [83.149.236.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C41A43D5A for ; Sat, 18 Dec 2004 12:18:49 +0000 (GMT) (envelope-from security@noc.kstu-kai.ru) Received: from security.noc.kstu-kai.ru (Security.NOC.KAI.Ru [10.0.1.7]) by RbNet.kstu-kai.ru (8.12.10/8.12.10) with ESMTP id iBICIfvu031261 for ; Sat, 18 Dec 2004 15:18:42 +0300 From: wsx Organization: NetBugs Inc. To: freebsd-security@freebsd.org Date: Sat, 18 Dec 2004 15:18:55 +0300 User-Agent: KMail/1.5.4 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412181518.55782.security@noc.kstu-kai.ru> Subject: Active ftp connection X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: security@noc.kstu-kai.ru List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 12:18:53 -0000 Hello dear friends... I have a trouble. My FTP server must have an active ftp connection. It means what in ipfw rules I must allow outgoing connections(like ipfw add allow tcp from me to any keep-state). But I don't want use this rule. I want to restrict my outgoing connections. Is FreeBSD have a feature for this situation? P.S. Only for test we developed little root-kit, which can use only outgoing connections. example: 1. rootkit gets a command from remote machine 2. do this command. 3. connects to remote machine and returns result. So we havn't got connections to my server, only outgoing.. Best regards.. From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 12:44:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3AEE16A4CE for ; Sat, 18 Dec 2004 12:44:48 +0000 (GMT) Received: from virtual.micronet.sk (smtp-r3.micronet.sk [213.215.96.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79F5443D49 for ; Sat, 18 Dec 2004 12:44:46 +0000 (GMT) (envelope-from danger@wilbury.sk) Received: from localhost (localhost [127.0.0.1]) by virtual.micronet.sk (Postfix) with ESMTP id 6A35610E54D; Sat, 18 Dec 2004 13:52:36 +0100 (CET) Received: from virtual.micronet.sk ([127.0.0.1]) by localhost (virtual.micronet.sk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24293-12; Sat, 18 Dec 2004 13:52:32 +0100 (CET) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) by virtual.micronet.sk (Postfix) with ESMTP id 56F8710E533; Sat, 18 Dec 2004 13:52:27 +0100 (CET) Date: Sat, 18 Dec 2004 13:43:55 +0100 From: DanGer X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <12410554059.20041218134355@wilbury.sk> To: wsx , freebsd-security@freebsd.org In-Reply-To: <200412181518.55782.security@noc.kstu-kai.ru> References: <200412181518.55782.security@noc.kstu-kai.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at virtual.micronet.sk Subject: Re: Active ftp connection X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: DanGer List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 12:44:49 -0000 Hello wsx, Saturday, December 18, 2004, 1:18:55 PM, si napisal: > Hello dear friends... > I have a trouble. My FTP server must have an active ftp connection. > It means what in ipfw rules I must allow outgoing connections(like ipfw add > allow tcp from me to any keep-state). > But I don't want use this rule. I want to restrict my outgoing connections. Is > FreeBSD have a feature for this situation? what about allowing these outgoing connection only for ftpd's port? > P.S. > Only for test we developed little root-kit, which can use only outgoing > connections. example: > 1. rootkit gets a command from remote machine > 2. do this command. > 3. connects to remote machine and returns result. > So we havn't got connections to my server, only outgoing.. > Best regards.. -- CU soon +----------==/\/\==----------+ (__) FreeBSD | DanGer | \\\'',) The | DanGer@IRCnet ICQ261701668 | \/ \ ^ Power | http://danger.homeunix.org | .\._/_) To +----------==\/\/==----------+ Serve From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 13:06:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7E2716A4CE for ; Sat, 18 Dec 2004 13:06:30 +0000 (GMT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 22C6A43D2F for ; Sat, 18 Dec 2004 13:06:30 +0000 (GMT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from localhost (localhost [127.0.0.1]) by cactus.fi.uba.ar (8.12.11/8.12.11) with ESMTP id iBIDAXhn071676; Sat, 18 Dec 2004 10:10:33 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Sat, 18 Dec 2004 10:10:33 -0300 (ART) From: Fernando Gleiser To: wsx In-Reply-To: <200412181518.55782.security@noc.kstu-kai.ru> Message-ID: <20041218100553.K71541@cactus.fi.uba.ar> References: <200412181518.55782.security@noc.kstu-kai.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Score: -3.7 () BAYES_00,J_CHICKENPOX_24,J_CHICKENPOX_26 X-Scanned-By: MIMEDefang 2.42 cc: freebsd-security@freebsd.org Subject: Re: Active ftp connection X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 13:06:31 -0000 On Sat, 18 Dec 2004, wsx wrote: > Hello dear friends... > > I have a trouble. My FTP server must have an active ftp connection. > It means what in ipfw rules I must allow outgoing connections(like ipfw add > allow tcp from me to any keep-state). > But I don't want use this rule. I want to restrict my outgoing connections. Is Active FTP-data goes from server IP:port 20 to client IP:random port. You don't need to open ALL ourgoing traffic, just those coming from port 20 on your ftp server. Fer From owner-freebsd-security@FreeBSD.ORG Fri Dec 17 16:52:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B054A16A4CE; Fri, 17 Dec 2004 16:52:05 +0000 (GMT) Received: from mail.revolutionsp.com (ganymede.revolutionsp.com [64.246.0.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34AAA43D2D; Fri, 17 Dec 2004 16:52:05 +0000 (GMT) (envelope-from security@revolutionsp.com) Received: from mail.revolutionsp.com (localhost [127.0.0.1]) by mail.revolutionsp.com (Postfix) with ESMTP id 60AA615C9C; Fri, 17 Dec 2004 07:47:35 -0600 (CST) Received: from 81.84.175.77 (SquirrelMail authenticated user security@revolutionsp.com); by mail.revolutionsp.com with HTTP; Fri, 17 Dec 2004 07:47:35 -0600 (CST) Message-ID: <65182.81.84.175.77.1103291255.squirrel@81.84.175.77> In-Reply-To: <6.2.0.14.2.20041216195558.030b0eb0@202.179.0.80> References: <6.2.0.14.2.20041216195558.030b0eb0@202.179.0.80> Date: Fri, 17 Dec 2004 07:47:35 -0600 (CST) From: security@revolutionsp.com To: "Ganbold" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Mailman-Approved-At: Sat, 18 Dec 2004 13:54:05 +0000 cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 16:52:05 -0000 You should have a script that creates a new user when people login with 'new'. Have you forbid that script from overwriting your wheel account and re-creating root? > Hi, > > Sorry for cross posting. > > I have with FreeBSD 5.3-stable server which serves as a public shell > server. > > FreeBSD public.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Nov 24 > 15:55:36 ULAT 2004 tsgan@public.ub.mng.net:/usr/obj/usr/src/sys/PSH > i386 > > It has ssh and proftp-1.2.10 daemons. > > However it was hacked and I'm trying to analyze it and having some > difficulties. > > Machine is configured in such way that everyone can create an account > itself. > Some user dir permissions: > ... > drwxr-xr-x 2 root wheel 512 Mar 29 2004 new > drwx------ 3 tamiraad unix 512 Apr 9 2004 tamiraad > drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan > drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi > drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix > ... > User should log on as new with password new to create an account. > > Accounting is enabled and kern.securelevel is set to 2. > Only one account 'tsgan' is in wheel group and only tsgan gan become root > using su. > > Following is the some strange output from grave-robber (coroner toolkit): > ... > Dec 13 04 20:18:40 5 m.c -rw-rw---- tugstugi > smmsp /var/spool/clientmqueue/dfiBDCIeD0001529 > Dec 13 04 20:34:58 512 m.. drwx------ tugstugi unix > /home/tugstugi > Dec 13 04 20:35:57 512 ..c drwx------ tugstugi unix > /home/tugstugi > Dec 14 04 00:19:56 0 m.c -rw-rw-rw- tugstugi > unix /home/tugstugi/.myrc > > Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi > unix /home/tsgan/.tmp/known_hosts > 9665 m.c -rw-r--r-- tugstugi > unix /home/tugstugi/.ssh/known_hosts > > Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi > unix /home/tugstugi/.shrc > ... > Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to > home/tsgan/.tmp/known_hosts. > I don't know why. > > > Following is lastcomm output: > ... > sshd -F tugstugi __ 0.16 secs Tue Dec 14 > 23:01 > sh - tugstugi #C:5:0x1 0.03 secs Tue Dec 14 > 23:02 > su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 > 23:38 > ... > sshd -F tugstugi __ 0.08 secs Tue Dec 14 > 22:41 > sh - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 > 22:41 > who - tugstugi #C:5:0x1 0.00 secs Tue Dec 14 > 22:52 > su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 > 22:48 > sh - tsgan #C:5:0x1 0.00 secs Tue Dec 14 > 22:48 > ls - tsgan #C:5:0x1 0.00 secs Tue Dec 14 > 22:52 > su - tsgan #C:5:0x1 0.02 secs Tue Dec 14 > 22:49 > csh - root #C:5:0x1 0.03 secs Tue Dec 14 > 22:49 > ... > > In above I think he already hijacked my account and root password so he > used su to > become root. > > sshd -F tsgan __ 0.02 secs Tue Dec 14 > 00:27 > sh - tsgan ttyp0 0.02 secs Tue Dec 14 > 00:27 > cat - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:28 > su - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:28 > sleep - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > ^^^^^^ > stty - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > stty - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > ^^^^^^ > fortune - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > ... > > I don't quite understand why he used sleep and stty commands in above. > My suspect is tty hijacking. Am I right? Correct me if I'm wrong. > > sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > ... > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > ls - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 > 00:23 > sh - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 > 00:23 > cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > sleep - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > fortune - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > ... > One more strange thing is "#C:5:0x2". What is this? > > Again I'm suspecting that, this guy hijacked my tty and got tsgan and then > he could log my keystroke and > get root password. Am I right? > > Please give me some advice and info regarding this kind of hack. > What should I do in order to secure my shell server? I mean except > securelevel, unneeded services etc. > Can somebody give me some hints on file and directory permissions? > Is there anybody who has similar server config and already had such issues > and problems? > I appreciate very much if somebody will help me in this regard. > > thanks in advance, > > Ganbold > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 10:45:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C077816A4CE for ; Sat, 18 Dec 2004 10:45:10 +0000 (GMT) Received: from marvin.muc.de (marvin.muc.de [193.149.48.2]) by mx1.FreeBSD.org (Postfix) with SMTP id C825F43D1D for ; Sat, 18 Dec 2004 10:45:09 +0000 (GMT) (envelope-from mod-submit@uni-berlin.de) Received: (qmail 70468 invoked by alias); 18 Dec 2004 10:45:08 -0000 Delivered-To: mods-muc-lists-freebsd-security@moderators.muc.de Received: (qmail 70461 invoked from network); 18 Dec 2004 10:45:07 -0000 Received: from mail.fu-berlin.de (130.133.1.2) by marvin.muc.de with SMTP; 18 Dec 2004 10:45:07 -0000 Received: by Mail.FU-Berlin.DE (Exim 4.42) from curry.zedat.fu-berlin.de ([160.45.10.36]) for muc-lists-freebsd-security@moderators.muc.de with esmtp id <1Cfc5D-0005kz-IG>; Sat, 18 Dec 2004 11:45:07 +0100 Received: by Curry.ZEDAT.FU-Berlin.DE (Smail3.2.0.98) from news.uni-berlin.de with bsmtp id ; Sat, 18 Dec 2004 11:45:07 +0100 (MET) To: muc-lists-freebsd-security@moderators.muc.de Path: individual.net!not-for-mail From: Rudolf Polzer Newsgroups: mpc.lists.freebsd.security,muc.lists.freebsd.security Date: 18 Dec 2004 10:45:06 GMT Lines: 27 Message-ID: References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Orig-X-Trace: individual.net wfdY/NdUgPc/QJEGUbV04g2fa6bXPiJWqkZmJ25xKCvG5UShhO User-Agent: slrn/0.9.8.1 (FreeBSD) X-Mailman-Approved-At: Sat, 18 Dec 2004 13:54:05 +0000 Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 10:45:10 -0000 »Bill Vermillion« wrote: > But if a person who is not in wheel su's to a user who is in wheel, > then they can su to root - as the system sees them as the other > user. This means that the 'wheel' security really is nothing more > than a 2 password method to get to root. It is exactly that. > If the EUID of the orignal invoker is checked, even if they su'ed > to a person in wheel, then they should not be able to su to root. No, since the EUID is also changed on su. > I'm asking why is this permitted, or alternatively why is putting a > user in the wheel group supposed to make things secure, when in > reality it just makes it seem more secure - as there is only one > more password to crack. Well, if su could not su from a non-wheel user to a wheel user, the user would just ssh to localhost instead. For example. -- / --- Where bots rampage, I'm there to take them down! --- \ / ------ Where trouble arises, I'm there to cause it! ------ \ \ Where an enemy tries to frag me, victory will be mine!!!1! / {{dup[exch{dup exec}fork =}loop}dup exec >> http://www.ccc-offenbach.org << From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 16:08:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7C9216A4CE for ; Sat, 18 Dec 2004 16:08:38 +0000 (GMT) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17D3243D1F for ; Sat, 18 Dec 2004 16:08:38 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.12.11/8.13.1) with ESMTP id iBIG8YcY077504 for ; Sat, 18 Dec 2004 11:08:34 -0500 (EST) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.11/8.13.1/Submit) id iBIG8YSa077503 for freebsd-security@freebsd.org; Sat, 18 Dec 2004 11:08:34 -0500 (EST) (envelope-from bv) Date: Sat, 18 Dec 2004 11:08:34 -0500 From: Bill Vermillion To: freebsd-security@freebsd.org Message-ID: <20041218160834.GA76897@wjv.com> References: <20041218120130.C67DC16A4D1@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041218120130.C67DC16A4D1@hub.freebsd.org> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.6i X-Spam-Status: No, score=-2.2 required=5.0 tests=ALL_TRUSTED,J_CHICKENPOX_53 autolearn=failed version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on bilver.wjv.com Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bv@wjv.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 16:08:38 -0000 Let me just comment on two items that are in the thread which I seem to have caused to get a bit long. On Sat, Dec 18, 2004 at 12:01 , while impersonating an expert on the internet, freebsd-security-request@freebsd.org sent this to stdout: > ------------------------------ > Message: 4 > Date: Fri, 17 Dec 2004 10:51:35 -0500 (EST) > From: "Jerry Bell" > Subject: re: Strange command histories in hacked shell server > Did I understand correctly, that anyone can connect to the shell server > and create an account for themselves? > I have a somewhat rudimentry hardening guide for FreeBSD at > http://www.syslog.org/Content-5-4.phtml > I've tried to keep it up-to-date, but I have yet to incorporate > IMAC, which think will help out a good bit more. > I hope you find this a useful. I do agree with that, espeically the first paragraph " ... no matter how paranoid your philsophy ..." I have had one instance of an attempt was I had missed one machine out of about 8 applying one security patch. All were patched within hours, the one that got hit was 2 days later. You have to get to any patches as soon as the hole becomes known. And my machines are pretty accessable to the world being on a backbone. One machine was getting about 300,000 spams/day until I finally took off all MX for that domain. If anyone has problems they need to perform a whois and use those contacts. It's one of those domains whose name alone drives it up the list. I haven't set the security levels high as that means that any problems would require driving to the colo - and that's about 1/2 hour at 3AM - and two to three times higher during the daylight hours. ... > Message: 9 > Date: Fri, 17 Dec 2004 22:13:47 -0600 > From: Elvedin Trnjanin And Elvedin wrote in reply to my post where I wrote: > >This means that the 'wheel' security really is nothing more > >than a 2 password method to get to root. > Precisely. If you don't like this then the way around is to only > allow a certain group access to su and none for everyone else. That thought had not crossed my mind. Craig also mentinoed that. [his comment follows]. > >If the EUID of the orignal invoker is checked, even if they su'ed > >to a person in wheel, then they should not be able to su to root. > >I'm asking why is this permitted, or alternatively why is putting a > >user in the wheel group supposed to make things secure, when in > >reality it just makes it seem more secure - as there is only one > >more password to crack. > One more password to crack is more time which means a better > chance of catching the cracker in the act. Although I don't know > why exactly the authors of su did that the way they did but my > first and best guess would be convenience. The two password > method is better than a new login session each time you want > to get to root. Second best guess would be is that they didn't > figure out that issue or at least think much of it. One more password to hack does make it harder, but in a paranoid mode if someone did break a password of a wheel user, then they have a root password to break. I'd just as soon them not have that ability at all. I'm concerned about some application turning out to have an unknown hole and someone wandering around before they are found. It seems there are tons of attempts on sshd logins in the past few months, but I'm thinking that if some app breaks then that person could perhaps su to a local person that is in wheel. Your idea of changing su to be only executeable root and user in group wheel may be just what I need. I may be overly paranoid, but in this day and age you can't be too secure. The one penetration that I had three years ago on one non-critical machine was one more than I'd have like to have had. There are a total of 4 people who have wheel accounts, and one person has a set of sudo command so he can edit his own private set of sendmail aliases, primarly for a large mailing list he maintains, but other than that it's locked down pretty well. As above I'm concerned about some unknown hole in an app giving someone a chance locally. > ------------------------------ > Message: 12 > Date: Sat, 18 Dec 2004 11:45:45 +0000 > From: Craig Edwards > You could change the permissions on the su binary, so that only > users in the wheel group can even execute su. that way, when a > non-wheel user attempts to su to a user in the wheel group, they > simply get permission denied. That's one that had not crossed my mind. I will probably do that. > The idea of chmod'ing your suid binaries is always good in my > opinion, and will stop this from happening simply and easily > without having to change any code. Which is very good. The fewer things modified the fewer things to get missed on system upgrades. Thanks to all who responded. Now my only unanswered question has to do with why su was designed like this originally. Those reasons are probably lost somewhere in history. But now I can ease some of my paranoic worries at least by changing su. Bill -- Bill Vermillion - bv @ wjv . com