From owner-freebsd-security@FreeBSD.ORG Mon Nov 14 15:58:56 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB4C416A41F for ; Mon, 14 Nov 2005 15:58:56 +0000 (GMT) (envelope-from odip@bionet.nsc.ru) Received: from manticore.bionet.nsc.ru (manticore.bionet.nsc.ru [84.237.118.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id 630EF43D6B for ; Mon, 14 Nov 2005 15:58:55 +0000 (GMT) (envelope-from odip@bionet.nsc.ru) Received: by manticore.bionet.nsc.ru (Postfix, from userid 426) id 033A321784; Mon, 14 Nov 2005 21:58:53 +0600 (NOVT) Received: from odiph (modem5.bionet.nsc.ru [172.25.2.22]) by manticore.bionet.nsc.ru (Postfix) with ESMTP id 1712621780 for ; Mon, 14 Nov 2005 21:58:51 +0600 (NOVT) From: "Dmitry Grigorovich" To: Date: Mon, 14 Nov 2005 21:58:49 +0600 Message-ID: <000b01c5e934$4ed79690$160219ac@bionet.nsc.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Thread-Index: AcXpNEw6JWbttTcmTvi8OJlVD32Ysg== Subject: Race condition in Sudo's pathname validation, version <= 1.6.8p9 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Nov 2005 15:58:57 -0000 http://sudo.ws/sudo/alerts/path_race.html [ODiP] == Dmitry Grigorovich From owner-freebsd-security@FreeBSD.ORG Mon Nov 14 16:48:36 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B22E516A41F for ; Mon, 14 Nov 2005 16:48:36 +0000 (GMT) (envelope-from simon@eddie.nitro.dk) Received: from eddie.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45C0143D45 for ; Mon, 14 Nov 2005 16:48:36 +0000 (GMT) (envelope-from simon@eddie.nitro.dk) Received: by eddie.nitro.dk (Postfix, from userid 1000) id C0929119C50; Mon, 14 Nov 2005 17:48:34 +0100 (CET) Date: Mon, 14 Nov 2005 17:48:34 +0100 From: "Simon L. Nielsen" To: Dmitry Grigorovich Message-ID: <20051114164833.GG64196@eddie.nitro.dk> References: <000b01c5e934$4ed79690$160219ac@bionet.nsc.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="QWpDgw58+k1mSFBj" Content-Disposition: inline In-Reply-To: <000b01c5e934$4ed79690$160219ac@bionet.nsc.ru> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org Subject: Re: Race condition in Sudo's pathname validation, version <= 1.6.8p9 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Nov 2005 16:48:36 -0000 --QWpDgw58+k1mSFBj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.11.14 21:58:49 +0600, Dmitry Grigorovich wrote: > http://sudo.ws/sudo/alerts/path_race.html See http://vuxml.FreeBSD.org/3bf157fa-e1c6-11d9-b875-0001020eed82.html for details regarding this vulnerability in the context of the FreeBSD Ports Collection. Note that this is a rather old issue which was published 2005-06-20. --=20 Simon L. Nielsen FreeBSD Security Team --QWpDgw58+k1mSFBj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDeL/hh9pcDSc1mlERArZBAJ90krnKK2rcMEFa9jwQf/73omaVMQCcCwWf BFFD7e6/aetyXC45f+SpOCg= =I7A1 -----END PGP SIGNATURE----- --QWpDgw58+k1mSFBj-- From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 01:26:09 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A1DA16A41F for ; Thu, 17 Nov 2005 01:26:09 +0000 (GMT) (envelope-from jay2xra@yahoo.com) Received: from web51607.mail.yahoo.com (web51607.mail.yahoo.com [206.190.38.212]) by mx1.FreeBSD.org (Postfix) with SMTP id 9DA2443D53 for ; Thu, 17 Nov 2005 01:26:08 +0000 (GMT) (envelope-from jay2xra@yahoo.com) Received: (qmail 46505 invoked by uid 60001); 17 Nov 2005 01:25:53 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=EgoevEi+H0g9GibkHfsJ9qW8uOj/k4LyX7HmPzuC6hozsSx/A8cj+cquZfXekYa8HEQglNt9YqvKYk9WRB9pxhlBHstrrd2H6TdBP/h69bjE4dUCXyqA/Ytpr7M2XHDjaAzkxaMvplVcJ2G/CubdOfAguYoa7cO05gd9UhZ86D0= ; Message-ID: <20051117012552.46503.qmail@web51607.mail.yahoo.com> Received: from [202.90.128.21] by web51607.mail.yahoo.com via HTTP; Wed, 16 Nov 2005 17:25:52 PST Date: Wed, 16 Nov 2005 17:25:52 -0800 (PST) From: Mark Jayson Alvarez To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 01:26:09 -0000 Good Day! I think we have a serious problem. One of our old server running FreeBSD 4.9 have been compromised and is now connected to an ircd server.. 195.204.1.132.6667 ESTABLISHED However, we still haven't brought the server down in an attempt to track the intruder down. Right now we are clueless as to what we need to do.. Most of our servers are running legacy operating systems(old versions mostly freebsd) Also, that particular server is running - ProFTPD Version 1.2.4 which someone have suggested to have a known vulnerability.. I really need all the help I can get as the administration of those servers where just transferred to us by former admins. The server is used for ftp. Thanks.. __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 01:48:38 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1D9016A41F for ; Thu, 17 Nov 2005 01:48:38 +0000 (GMT) (envelope-from ray@redshift.com) Received: from outgoing.redshift.com (outgoing.redshift.com [207.177.231.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9B7E43D46 for ; Thu, 17 Nov 2005 01:48:38 +0000 (GMT) (envelope-from ray@redshift.com) Received: from workstation (216-228-19-21.dsl.redshift.com [216.228.19.21]) by outgoing.redshift.com (Postfix) with SMTP id 40DDD984BB; Wed, 16 Nov 2005 17:48:38 -0800 (PST) Message-Id: <3.0.1.32.20051116174838.00a75e70@pop.redshift.com> X-Mailer: na X-Sender: redshift.com Date: Wed, 16 Nov 2005 17:48:38 -0800 To: Mark Jayson Alvarez ,freebsd-security@freebsd.org From: ray@redshift.com In-Reply-To: <20051117012552.46503.qmail@web51607.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 01:48:39 -0000 At 05:25 PM 11/16/2005 -0800, Mark Jayson Alvarez wrote: | Good Day! | | I think we have a serious problem. One of our old | server running FreeBSD 4.9 have been compromised and | is now connected to an ircd server.. | 195.204.1.132.6667 ESTABLISHED | | However, we still haven't brought the server down in | an attempt to track the intruder down. Right now we | are clueless as to what we need to do.. | Most of our servers are running legacy operating | systems(old versions mostly freebsd) Also, that | particular server is running - ProFTPD Version 1.2.4 | which someone have suggested to have a known | vulnerability.. | | I really need all the help I can get as the | administration of those servers where just transferred | to us by former admins. The server is used for ftp. | | Thanks.. Hi Mark, Good luck tracking them. The IP# is out of Canada if that helps any. 195.204.1.132 CA CANADA ONTARIO WAWA UNDERNET-IRC Looks like it is coming from another IRC network - although I am no IRC expert. Someone is probably using your machine to exchange software or run a bot network or something along those lines. Who knows. Try doing a ps -aux and see if something like eggdrop or some IRC bot is running on there (assuming you still have the root password). You might even be able to figure out if you are hosting an IRC room :-) Maybe everyone from the FreeBSD hacker list can meet there and party :-) Just kidding. Anyway, tracking them is probably a waste of time, unless some valuable corporate information has been stolen. The best bet is to just wipe the machine and start over, unless you need something on there that you can't backup, etc. In cases like these, unless you are running something that has built check sums of all your system files, it's difficult to work back wards and know for sure you have returned everything back to a secure status. Best just to start at square 1 and work forward. In the future, you might consider running a fire wall, such as ipf - or putting the server on a non-public IP# behind a router that acts as a fire wall - then only allow traffic in (and out) on ports you really need. If you run ipf, you might also block out going traffic on ports such as 21, 6666-6669, etc. so that anything that does get into the machine can't "phone home". If your root password has been changed on you, you'll need to boot into single user mode and change the password back. You might also check files like /etc/rc.local or the like to see if something is setup to auto load at boot, such as an IRC server, or IRC bot, etc. Anyway, just some ideas off hand. good luck! Ray From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 02:04:42 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C90AC16A41F for ; Thu, 17 Nov 2005 02:04:42 +0000 (GMT) (envelope-from saurabh@bhasin.in) Received: from bhasin.in (mail.bhasin.in [66.111.52.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4698F43D46 for ; Thu, 17 Nov 2005 02:04:42 +0000 (GMT) (envelope-from saurabh@bhasin.in) Received: (qmail 78483 invoked by uid 89); 17 Nov 2005 02:04:45 -0000 Received: by simscan 1.1.0 ppid: 78477, pid: 78479, t: 6.7548s scanners: attach: 1.1.0 clamav: 0.87/m:34/d:1146 spam: 3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mail.bhasin.in X-Spam-Bhasin-Summary: Tokens: new, 48; hammy, 78; neutral, 226; spammy, 5. X-Spam-Level: X-Spam-Bhasin-Score: 0.0000 X-Spam-Status: No, score=-4.4 required=1.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.0 Received: from unknown (HELO ?192.168.168.128?) (saurabh@bhasin.in@67.174.246.11) by mail.bhasin.in with (DHE-RSA-AES256-SHA encrypted) SMTP; 17 Nov 2005 02:04:38 -0000 Message-ID: <437BE530.8010404@bhasin.in> Date: Wed, 16 Nov 2005 18:04:32 -0800 From: "saurabh.bhasin" User-Agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ray@redshift.com References: <3.0.1.32.20051116174838.00a75e70@pop.redshift.com> In-Reply-To: <3.0.1.32.20051116174838.00a75e70@pop.redshift.com> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Mark Jayson Alvarez Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 02:04:43 -0000 Mark, In addition to Ray's suggestions, you might also want to capture some packets (tcpdump and the likes) to see more specific details of the the outbound irc traffic. Unless the traffic is encrypted, you'll be able to see which channel you're being forced to join (watch for /join #channelname). It's very likely that your server is part of a bigger botnet, serving up movies/mp3 etc. You might also want to see if your available diskspace has drastically changed since before this incident. Along the same lines, also watch out for higher utilization counts on your interface. As always, it's a good idea to firewall your traffic. Good luck. -Saurabh ray@redshift.com wrote: > At 05:25 PM 11/16/2005 -0800, Mark Jayson Alvarez wrote: > | Good Day! > | > | I think we have a serious problem. One of our old > | server running FreeBSD 4.9 have been compromised and > | is now connected to an ircd server.. > | 195.204.1.132.6667 ESTABLISHED > | > | However, we still haven't brought the server down in > | an attempt to track the intruder down. Right now we > | are clueless as to what we need to do.. > | Most of our servers are running legacy operating > | systems(old versions mostly freebsd) Also, that > | particular server is running - ProFTPD Version 1.2.4 > | which someone have suggested to have a known > | vulnerability.. > | > | I really need all the help I can get as the > | administration of those servers where just transferred > | to us by former admins. The server is used for ftp. > | > | Thanks.. > > Hi Mark, > > Good luck tracking them. The IP# is out of Canada if that helps any. > > 195.204.1.132 CA CANADA ONTARIO WAWA UNDERNET-IRC > > Looks like it is coming from another IRC network - although I am no IRC > expert. Someone is probably using your machine to exchange software or run a > bot network or something along those lines. Who knows. > > Try doing a ps -aux and see if something like eggdrop or some IRC bot is > running on there (assuming you still have the root password). You might even be > able to figure out if you are hosting an IRC room :-) Maybe everyone from the > FreeBSD hacker list can meet there and party :-) Just kidding. > > Anyway, tracking them is probably a waste of time, unless some valuable > corporate information has been stolen. The best bet is to just wipe the machine > and start over, unless you need something on there that you can't backup, etc. > In cases like these, unless you are running something that has built check sums > of all your system files, it's difficult to work back wards and know for sure > you have returned everything back to a secure status. Best just to start at > square 1 and work forward. > > In the future, you might consider running a fire wall, such as ipf - or putting > the server on a non-public IP# behind a router that acts as a fire wall - then > only allow traffic in (and out) on ports you really need. If you run ipf, you > might also block out going traffic on ports such as 21, 6666-6669, etc. so that > anything that does get into the machine can't "phone home". > > If your root password has been changed on you, you'll need to boot into single > user mode and change the password back. You might also check files like > /etc/rc.local or the like to see if something is setup to auto load at boot, > such as an IRC server, or IRC bot, etc. > > Anyway, just some ideas off hand. > > good luck! > > Ray > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 02:06:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A3BE16A41F for ; Thu, 17 Nov 2005 02:06:22 +0000 (GMT) (envelope-from willmaier@ml1.net) Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A34843D53 for ; Thu, 17 Nov 2005 02:06:21 +0000 (GMT) (envelope-from willmaier@ml1.net) Received: from frontend1.internal (mysql-sessions.internal [10.202.2.149]) by frontend1.messagingengine.com (Postfix) with ESMTP id 14875D0A17B for ; Wed, 16 Nov 2005 21:06:20 -0500 (EST) Received: from frontend2.messagingengine.com ([10.202.2.151]) by frontend1.internal (MEProxy); Wed, 16 Nov 2005 21:06:20 -0500 X-Sasl-enc: AQTjwc4UYrjhIGTGe0QJZJBXuQho3tRFYZqObZoPkkr7 1132193178 Received: from merkur (host-66-202-74-42.choiceone.net [66.202.74.42]) by frontend2.messagingengine.com (Postfix) with ESMTP id 8353D5713F6 for ; Wed, 16 Nov 2005 21:06:18 -0500 (EST) Received: by merkur (nbSMTP-1.00) for uid 1000 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) willmaier@ml1.net; Wed, 16 Nov 2005 20:06:24 -0600 (CST) Date: Wed, 16 Nov 2005 20:06:22 -0600 From: Will Maier To: freebsd-security@freebsd.org Message-ID: <20051117020622.GE26954@localdomain> Mail-Followup-To: freebsd-security@freebsd.org References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051117012552.46503.qmail@web51607.mail.yahoo.com> User-Agent: Mutt/1.5.6+20040907i Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 02:06:22 -0000 On Wed, Nov 16, 2005 at 05:25:52PM -0800, Mark Jayson Alvarez wrote: > However, we still haven't brought the server down in an attempt to > track the intruder down. Right now we are clueless as to what we > need to do.. Most of our servers are running legacy operating > systems(old versions mostly freebsd) Also, that particular server > is running - ProFTPD Version 1.2.4 which someone have suggested to > have a known vulnerability.. You should take the box off the network immediately. Before doing so, get a dump of all open files using lsof(8), especially open network sockets. The following is a start: $ lsof -Pni > /root/openfiles.txt Do not use shutdown(8) or reboot(8) to shut the machine down, as these may trigger scripts that could remove or obfuscate evidence of the breakin. Simply powering the machine off will leave it in a relatively pristine state. The machine will need to be rebuilt, and all passwords on it retired. Consider whether the attacker could have compromised other systems on your network via this machine; if so, change relevant passwords and investigate further. Do not boot from the compromised hard disk again; instead, mount it on a safe machine and take a disk image. Do not alter the disk itself -- all investigation should occur using copies of the image. If the other machines are in a state similar to the compromised machine (in terms of OS upgrades, software upgrades, exposure), develop a plan to bring them to a known safe/protected level. At a minimum, unnecessary services should be turned off, strict password requirements should be set, and all software (OS and third party) should be updated. For extra credit: Using the image and the dump of open files, try to determine the vector used to launch the attack. Understanding how they got in might help you as you move to secure your other machines. You're going to have rather a lot of work to do, unfortunately, which is a rough way to start at your new job. If the previous admin had kept the machines up to date, the likelihood that you'd have to respond to a security incident on unfamiliar systems would be dramatically lessened. Do the next admin a favor: keep these machines secure after you rebuild them. -- o--------------------------{ Will Maier }--------------------------o | jabber:..wcmaier@jabber.ccc.de | email:..........wcmaier@ml1.net | | \.........wcmaier@cae.wisc.edu | \..........wcmaier@cae.wisc.edu | *------------------[ BSD Unix: Live Free or Die ]------------------* From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 04:55:29 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DD5B16A41F for ; Thu, 17 Nov 2005 04:55:29 +0000 (GMT) (envelope-from bill@ethernext.com) Received: from w15.irbs.net (w15.irbs.net [205.237.194.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12D8B43D45 for ; Thu, 17 Nov 2005 04:55:28 +0000 (GMT) (envelope-from bill@ethernext.com) Received: from pit.carracing.com (pit.carracing.com [205.237.198.13]) by webmail.tuffmail.net (Horde MIME library) with HTTP for ; Wed, 16 Nov 2005 23:55:27 -0500 Message-ID: <20051116235527.4okakp84gk40osco@webmail.tuffmail.net> Date: Wed, 16 Nov 2005 23:55:27 -0500 From: Bill Desjardins To: freebsd-security@freebsd.org References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> In-Reply-To: <20051117012552.46503.qmail@web51607.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.3) X-Mailman-Approved-At: Thu, 17 Nov 2005 05:50:32 +0000 Cc: Mark Jayson Alvarez Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 04:55:29 -0000 Mark, before going too nuts with trying to locate how they got in, let me ask, are you running a webserver on this server and any websites? take a look in /tmp, /var/tmp and do a find for any directories which have 777 perms like uucppublic in /var. if so, are they owned by the web user? I have seen many IRC bots installed from poorly written php and perl programs into /tmp and such which are then run via the same security holes that allowed them to be installed. these programs can only be run on high port numbers and are owned by the webserver owner. 99 of 100 are usually IRC bots as well. another thing to look for is if they installed a cron job for the web user which re-downloads the files if they are deleted. you can disable cron for www and is reccomended. I have seen these tactics more and more lately and the amount of bad 3rd party code used by my users doesnt help at all. HTH, Bill -- Bill Desjardins d: 305.205.8644 EtherneXt.com - Managed Colocation & Bandwidth bill@ethernext.com Phone: 305.373.5960 Quoting Mark Jayson Alvarez : > Good Day! > > I think we have a serious problem. One of our old > server running FreeBSD 4.9 have been compromised and > is now connected to an ircd server.. > 195.204.1.132.6667 ESTABLISHED > > However, we still haven't brought the server down in > an attempt to track the intruder down. Right now we > are clueless as to what we need to do.. > Most of our servers are running legacy operating > systems(old versions mostly freebsd) Also, that > particular server is running - ProFTPD Version 1.2.4 > which someone have suggested to have a known > vulnerability.. > > I really need all the help I can get as the > administration of those servers where just transferred > to us by former admins. The server is used for ftp. > > Thanks.. > > > > > __________________________________ > Yahoo! Mail - PC Magazine Editors' Choice 2005 > http://mail.yahoo.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 08:33:34 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B00816A41F for ; Thu, 17 Nov 2005 08:33:34 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from mail.ihosting.be (vero.ihosting.be [83.217.81.43]) by mx1.FreeBSD.org (Postfix) with SMTP id 8166243D45 for ; Thu, 17 Nov 2005 08:33:32 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: (qmail 702 invoked by uid 1033); 17 Nov 2005 08:35:32 -0000 Received: from jimmy@inet-solutions.be by excalibur.hyprotech.be by uid 1016 with qmail-scanner-1.20st (clamscan: 0.75. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 0.010124 secs); 17 Nov 2005 08:35:32 -0000 Received: from localhost (HELO vero.ihosting.be) (127.0.0.1) by mail.ihosting.be with SMTP; 17 Nov 2005 08:35:31 -0000 Received: (from jimmy@inet-solutions.be) by vero.ihosting.be (mini_sendmail/1.3.5 16nov2003); Thu, 17 Nov 2005 09:35:31 CET (sender jimmy@inet-solutions.be by using webserver vero.ihosting.be path /www/ihosting/horde.ihosting.be/imp - report abuse to abuse@boxke.be) Received: from 194.78.143.3 ([194.78.143.3]) by webmail.boxke.be (IMP) with HTTP for ; Thu, 17 Nov 2005 09:35:31 +0100 Message-ID: <1132216531.437c40d3ca912@webmail.boxke.be> Date: Thu, 17 Nov 2005 09:35:31 +0100 From: jimmy@inet-solutions.be To: Bill Desjardins References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> <20051116235527.4okakp84gk40osco@webmail.tuffmail.net> In-Reply-To: <20051116235527.4okakp84gk40osco@webmail.tuffmail.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.3 X-Originating-IP: 194.78.143.3 Cc: freebsd-security@freebsd.org, Mark Jayson Alvarez Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 08:33:34 -0000 Quoting Bill Desjardins : > Mark, > > before going too nuts with trying to locate how they got in, let me ask, are > you running a webserver on this server and any websites? > > take a look in /tmp, /var/tmp and do a find for any directories which have > 777 perms like uucppublic in /var. if so, are they owned by the web user? I > have seen many IRC bots installed from poorly written php and perl programs > into /tmp and such which are then run via the same security holes that > allowed them to be installed. these programs can only be run on high port > numbers and are owned by the webserver owner. 99 of 100 are usually IRC > bots as well. another thing to look for is if they installed a cron job for > the web user which re-downloads the files if they are deleted. you can > disable cron for www and is reccomended. I have seen these tactics more and > more lately and the amount of bad 3rd party code used by my users doesnt > help at all. > > HTH, > > Bill > This is very correct, most of the time the directory is named '. ..', ' ', '...' or 'php-.....'. You better use 'find' to track the files down. I had it in the past (users with old phpbbs), all these guys are searching is a 'sit' to get on IRC. I took a full tcpdump of the connections to get enough evidence, even better, those morons didn't disable the logging of the BNC, so I had VERY clear connection logs right in theire application directory, which is SO stupid. I turned those logs to theire ISP and they told me they would take care of the rest, don't bother for the rest, they are probably kids, and if you think it was unable to break out any further from the www user, don't worry, just verify every bit the user could touch. Kind regards, Jimmy Scott ---------------------------------------------------------------- This message has been sent through ihosting.be To report spamming or other unaccepted behavior by a iHosting customer, please send a message to abuse@ihosting.be ---------------------------------------------------------------- From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 15:54:33 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 759E716A41F for ; Thu, 17 Nov 2005 15:54:33 +0000 (GMT) (envelope-from reichert@numachi.com) Received: from meisai.numachi.com (meisai.numachi.com [198.175.254.6]) by mx1.FreeBSD.org (Postfix) with SMTP id D32D243D49 for ; Thu, 17 Nov 2005 15:54:32 +0000 (GMT) (envelope-from reichert@numachi.com) Received: (qmail 32860 invoked from network); 17 Nov 2005 15:54:29 -0000 Received: from natto.numachi.com (198.175.254.216) by meisai.numachi.com with SMTP; 17 Nov 2005 15:54:29 -0000 Received: (qmail 48413 invoked by uid 1001); 17 Nov 2005 15:54:29 -0000 Date: Thu, 17 Nov 2005 10:54:29 -0500 From: Brian Reichert To: Mark Jayson Alvarez Message-ID: <20051117155429.GD38047@numachi.com> References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051117012552.46503.qmail@web51607.mail.yahoo.com> User-Agent: Mutt/1.5.10i Cc: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 15:54:33 -0000 On Wed, Nov 16, 2005 at 05:25:52PM -0800, Mark Jayson Alvarez wrote: > Good Day! > > I think we have a serious problem. One of our old > server running FreeBSD 4.9 have been compromised and > is now connected to an ircd server.. > 195.204.1.132.6667 ESTABLISHED I had a 4.9 box compromised though the ssh install (I'm certain it wasn't openssh, but the base install), and was running an irc server itself. I just yanked the box off the net, and scrubbed it flat, and reinstalled. In my case, it wasn't worth the time to track who and when and how; I needed to put the server back on the net. Good luck on chasing them down. Are you sure that effort is worth it to you? > Thanks.. > > > > > __________________________________ > Yahoo! Mail - PC Magazine Editors' Choice 2005 > http://mail.yahoo.com -- Brian Reichert 55 Crystal Ave. #286 Daytime number: (603) 434-6842 Derry NH 03038-1725 USA BSD admin/developer at large From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 16:05:38 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3674C16A426 for ; Thu, 17 Nov 2005 16:05:38 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from komquats.com (S0106002078125c0c.gv.shawcable.net [24.108.150.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C5B843D46 for ; Thu, 17 Nov 2005 16:05:37 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by komquats.com (Postfix) with ESMTP id 55B044C5C7 for ; Thu, 17 Nov 2005 08:05:36 -0800 (PST) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.13.4/8.13.4) with ESMTP id jAHG5YNh032014 for ; Thu, 17 Nov 2005 08:05:34 -0800 (PST) (envelope-from Cy.Schubert@komquats.com) Message-Id: <200511171605.jAHG5YNh032014@cwsys.cwsent.com> X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.0.4 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 17 Nov 2005 08:05:34 -0800 Sender: Cy.Schubert@komquats.com Subject: krb5-1.4.3 is released (fwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Cy Schubert List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 16:05:38 -0000 I will be updating the KRB5 port shortly. The updated port, as it stands right now, builds and installs cleanly on the i386 version of 6.0. I need to verify it builds and installs on 5.4, 4.11, and 7.0-CURRENT (my "checkout" of 7.0 as of three days ago currently doesn't build here). I should have the upgraded port committed sometime during the weekend. Cheers, Cy Schubert Web: http://www.komquats.com and http://www.bcbodybuilder.com FreeBSD UNIX: Web: http://www.FreeBSD.org BC Government: "Lift long enough and I believe arrogance is replaced by humility and fear by courage and selfishness by generosity and rudeness by compassion and caring." -- Dave Draper ------- Forwarded Message Date: Wed, 16 Nov 2005 20:24:21 -0500 From: Tom Yu To: kerberos-announce@mit.edu Subject: krb5-1.4.3 is released - -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.4.3. This is primarily a bugfix release. Please see the README file in the source tree for a detailed list of changes. RETRIEVING KERBEROS 5 RELEASE 1.4.3 =================================== You may retrieve the Kerberos 5 Release 1.4.3 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.4.3 release is: http://web.mit.edu/kerberos/krb5-1.4/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (SunOS) iQCVAwUBQ3vbyKbDgE/zdoE9AQGdYwP9H/jFewL9cOdMuKyQC/pxsIO/sWBfra+1 DB8c7oyquns59V4nq13s9EhJ1y7vgYAMWSTHauEf6Jke+gfd0qgHqHd1Amlwq7Wa BcIt1KQzRx1a1zvFnQ4zQJLYbmUI1skApn9t2g52nEqpqYezHJZ9cTX9vu8AJOqK cT3JHUkNuF4= =lIsU - -----END PGP SIGNATURE----- _______________________________________________ kerberos-announce mailing list kerberos-announce@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce ------- End of Forwarded Message From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 16:58:23 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAD2316A41F for ; Thu, 17 Nov 2005 16:58:23 +0000 (GMT) (envelope-from johan@ircnet.se) Received: from laforge.skip.informatik.gu.se (laforge.skip.informatik.gu.se [130.241.143.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82DB043D45 for ; Thu, 17 Nov 2005 16:58:23 +0000 (GMT) (envelope-from johan@ircnet.se) Received: from [192.168.0.10] (argus.vry.sgsnet.se [193.11.234.229]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by laforge.skip.informatik.gu.se (Postfix) with ESMTP id 9DABF36A282; Thu, 17 Nov 2005 16:58:30 +0000 (UTC) In-Reply-To: <20051117012552.46503.qmail@web51607.mail.yahoo.com> References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Johan Berg Date: Thu, 17 Nov 2005 17:58:04 +0100 To: Mark Jayson Alvarez X-Pgp-Agent: GPGMail 1.1.1 (Tiger) X-Gpgmail-State: signed X-Mailer: Apple Mail (2.746.2) Cc: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 16:58:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Check the system with rkhunter to see if there were any changes to some files or any known rootkit installed. You can find rkhunter in /usr/ports/security/rkhunter Try to the following: rkhunter --update && rkhunter --checkall 17 nov 2005 kl. 02.25 Mark Jayson Alvarez wrote: > Good Day! > > I think we have a serious problem. One of our old > server running FreeBSD 4.9 have been compromised and > is now connected to an ircd server.. > 195.204.1.132.6667 ESTABLISHED > > However, we still haven't brought the server down in > an attempt to track the intruder down. Right now we > are clueless as to what we need to do.. > Most of our servers are running legacy operating > systems(old versions mostly freebsd) Also, that > particular server is running - ProFTPD Version 1.2.4 > which someone have suggested to have a known > vulnerability.. > > I really need all the help I can get as the > administration of those servers where just transferred > to us by former admins. The server is used for ftp. > > Thanks.. > > > > > __________________________________ > Yahoo! Mail - PC Magazine Editors' Choice 2005 > http://mail.yahoo.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security- > unsubscribe@freebsd.org" -- Johan Berg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) iD8DBQFDfLapSVaw+q1ufCYRAh7BAJ93lVecTx72JQnY8IiW3L5D8ineMwCfTZbm dY+/9ukhbXIF9r/5krcxSZ4= =sjjs -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Nov 18 04:42:49 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E8FE16A41F for ; Fri, 18 Nov 2005 04:42:49 +0000 (GMT) (envelope-from timothy@open-networks.net) Received: from titan.open-networks.net (ns.open-networks.net [202.173.176.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7ECEE43D45 for ; Fri, 18 Nov 2005 04:42:47 +0000 (GMT) (envelope-from timothy@open-networks.net) Received: from [192.168.1.200] (tim.open-networks.net [192.168.1.1]) by titan.open-networks.net (Postfix) with ESMTP id 409CB112D for ; Fri, 18 Nov 2005 14:42:45 +1000 (EST) Message-ID: <437D5BC4.5000700@open-networks.net> Date: Fri, 18 Nov 2005 14:42:44 +1000 From: Timothy Smith User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051002) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2005 04:42:49 -0000 i have seen a similar attack recently doing a brute force ssh. the number ONE weakness in most poorly run IT systems, is easy passwords. it's amazingly easy to brute force these systems using common names or variations of them. in my instance they used it to join a bot net on an undernet irc channel. and yes attempting to track them down will be a waste of time unless they have intruded on a very very sensitive system and you have enough money to back an over seas legal battle. check in /tmp and see if anything is runnin in there, lots of times /tmp is mounted with exec and they use it to run their scripts. > >> Good Day! >> >> I think we have a serious problem. One of our old >> server running FreeBSD 4.9 have been compromised and >> is now connected to an ircd server.. >> 195.204.1.132.6667 ESTABLISHED >> >> However, we still haven't brought the server down in >> an attempt to track the intruder down. Right now we >> are clueless as to what we need to do.. >> Most of our servers are running legacy operating >> systems(old versions mostly freebsd) Also, that >> particular server is running - ProFTPD Version 1.2.4 >> which someone have suggested to have a known >> vulnerability.. >> >> I really need all the help I can get as the >> administration of those servers where just transferred >> to us by former admins. The server is used for ftp. >> >> Thanks.. >> >> >> >> >> __________________________________ >> Yahoo! Mail - PC Magazine Editors' Choice 2005 >> http://mail.yahoo.com >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security- >> unsubscribe@freebsd.org" > > > -- Johan Berg > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (Darwin) > > iD8DBQFDfLapSVaw+q1ufCYRAh7BAJ93lVecTx72JQnY8IiW3L5D8ineMwCfTZbm > dY+/9ukhbXIF9r/5krcxSZ4= > =sjjs > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Fri Nov 18 07:04:47 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A94ED16A41F for ; Fri, 18 Nov 2005 07:04:47 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from mail21.syd.optusnet.com.au (mail21.syd.optusnet.com.au [211.29.133.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE46C43D4C for ; Fri, 18 Nov 2005 07:04:46 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236]) by mail21.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id jAI74hg7013194 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Fri, 18 Nov 2005 18:04:43 +1100 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1]) by cirb503493.alcatel.com.au (8.12.10/8.12.10) with ESMTP id jAI74gHh096644 for ; Fri, 18 Nov 2005 18:04:42 +1100 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost) by cirb503493.alcatel.com.au (8.12.10/8.12.9/Submit) id jAI74geF096643 for freebsd-security@freebsd.org; Fri, 18 Nov 2005 18:04:42 +1100 (EST) (envelope-from pjeremy) Date: Fri, 18 Nov 2005 18:04:42 +1100 From: Peter Jeremy To: freebsd-security@freebsd.org Message-ID: <20051118070442.GQ39882@cirb503493.alcatel.com.au> References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> <437D5BC4.5000700@open-networks.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <437D5BC4.5000700@open-networks.net> User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2005 07:04:47 -0000 On Fri, 2005-Nov-18 14:42:44 +1000, Timothy Smith wrote: >i have seen a similar attack recently doing a brute force ssh. the >number ONE weakness in most poorly run IT systems, is easy passwords. >it's amazingly easy to brute force these systems using common names or >variations of them. I strongly recommend that you disable reusable passwords on any system exposed to the Internet - RSA/DSA or OPIE are much harder to brute force. You can also use AllowUsers to further limit exposure. -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Fri Nov 18 07:20:59 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C113216A41F for ; Fri, 18 Nov 2005 07:20:59 +0000 (GMT) (envelope-from ray@redshift.com) Received: from outgoing.redshift.com (outgoing.redshift.com [207.177.231.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9436643D49 for ; Fri, 18 Nov 2005 07:20:59 +0000 (GMT) (envelope-from ray@redshift.com) Received: from workstation (216-228-19-21.dsl.redshift.com [216.228.19.21]) by outgoing.redshift.com (Postfix) with SMTP id E55F197913; Thu, 17 Nov 2005 23:20:58 -0800 (PST) Message-Id: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> X-Mailer: na X-Sender: redshift.com Date: Thu, 17 Nov 2005 23:20:57 -0800 To: Timothy Smith From: ray@redshift.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2005 07:20:59 -0000 At 02:42 PM 11/18/2005 +1000, Timothy Smith wrote: | i have seen a similar attack recently doing a brute force ssh. the | number ONE weakness in most poorly run IT systems, is easy passwords. | it's amazingly easy to brute force these systems using common names or | variations of them. Speaking of SSH, if you have to provide SSH service via a public IP# (and you are unable to limit traffic to just specific management/workstation IP#'s), then it's always a good idea to confirm that root login is not enabled in /etc/ssh/sshd_config. This make a brute force attack much more difficult, since a would-be attacker not only has to hit the correct password, but they also have to know a valid username on the system (as opposed to just using 'root') during an attack. Also, if you have access to the router, it's handy to re-write traffic from a higher public port down to port 22 on the server, since that will trip up anyone doing scans looking for a connect on port 22 across a large number of IP's. Anyway, just a couple of ideas I thought might be helpful while on the subject of SSH hardening :-) Ray From owner-freebsd-security@FreeBSD.ORG Fri Nov 18 18:46:28 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1CE316A41F for ; Fri, 18 Nov 2005 18:46:28 +0000 (GMT) (envelope-from josh@tcbug.org) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA5A343D6A for ; Fri, 18 Nov 2005 18:46:24 +0000 (GMT) (envelope-from josh@tcbug.org) Received: from [192.168.1.101] (c-24-118-173-219.hsd1.mn.comcast.net[24.118.173.219]) by comcast.net (sccrmhc12) with ESMTP id <200511181840410120026284e>; Fri, 18 Nov 2005 18:40:47 +0000 From: Josh Paetzel To: freebsd-security@freebsd.org Date: Fri, 18 Nov 2005 12:40:40 -0600 User-Agent: KMail/1.8.3 References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> In-Reply-To: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200511181240.40429.josh@tcbug.org> Cc: Timothy Smith , ray@redshift.com Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2005 18:46:28 -0000 On Friday 18 November 2005 01:20 am, ray@redshift.com wrote: > At 02:42 PM 11/18/2005 +1000, Timothy Smith wrote: > | i have seen a similar attack recently doing a brute force ssh. > | the number ONE weakness in most poorly run IT systems, is easy > | passwords. it's amazingly easy to brute force these systems using > | common names or variations of them. > > Speaking of SSH, if you have to provide SSH service via a public > IP# (and you are unable to limit traffic to just specific > management/workstation IP#'s), then it's always a good idea to > confirm that root login is not enabled in /etc/ssh/sshd_config. > This make a brute force attack much more difficult, since a > would-be attacker not only has to hit the correct password, but > they also have to know a valid username on the system (as opposed > to just using 'root') during an attack. > > Also, if you have access to the router, it's handy to re-write > traffic from a higher public port down to port 22 on the server, > since that will trip up anyone doing scans looking for a connect on > port 22 across a large number of IP's. > > Anyway, just a couple of ideas I thought might be helpful while on > the subject of SSH hardening :-) > > Ray Use public/private keys WITH hardened pass-phrases. If you aren't sure how secure your pass-phrases are run john the ripper on them. Allow only the bare minimum of remote networks to access ssh. Make sure that only the users that need shells have them. Make double sure that users for mail/pop do NOT have shells. Often-times brute-force attacks will be directed at account names gleamed from emails. -- Thanks, Josh Paetzel