From owner-freebsd-chat@FreeBSD.ORG Tue Dec 10 06:19:50 2013 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 508F78C4 for ; Tue, 10 Dec 2013 06:19:50 +0000 (UTC) Received: from mail24c25-2209.carrierzone.com (mail24c25.carrierzone.com [64.29.147.34]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F0C5116CD for ; Tue, 10 Dec 2013 06:19:49 +0000 (UTC) X-Authenticated-User: jcw.speakeasy.net Received: from w16.stradamotorsports.com (s6.stradamotorsports.com [64.81.163.124]) (authenticated bits=0) by mail24c25-2209.carrierzone.com (8.13.6/8.13.1) with ESMTP id rBA6B9Y5022571 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 10 Dec 2013 06:11:11 +0000 Message-ID: <52A6B07C.5050606@speakeasy.net> Date: Mon, 09 Dec 2013 22:11:08 -0800 From: "Jason C. Wells" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130812 Thunderbird/17.0.8 MIME-Version: 1.0 To: fbsd_chat Subject: Rooted Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-CSC: 0 X-CHA: v=2.1 cv=BLWK8jgG c=1 sm=1 tr=0 a=R97Ob3vzpY6jDyx3VIOVtw==:117 a=R97Ob3vzpY6jDyx3VIOVtw==:17 a=h5IuLSp0AAAA:8 a=g0qM3YM6AAAA:8 a=cQP-bbU9IPcA:10 a=A8LQOh1NFgIA:10 a=8nJEP1OIZ-IA:10 a=eVbW6KzvAAAA:8 a=_CIdZ9MoLuPrAusF7MEA:9 a=wPNLvfGTeEIA:10 X-CTCH-RefID: str=0001.0A020201.52A6B07F.00B9, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Dec 2013 06:19:50 -0000 For the second time in my life I've been rooted. I found a barbut.bsd.core file and a talkng file in my /root directory. Barbut is some sort of binary that a webserver hack seems to download and run after a broken module provides access. That's bothersome enough. But the very bothersome part is that I do not run any services on this box beyond what is needed to provide packet filtering and ftp-proxy. I have all accounts disabled. I only login after booting to single user mode on the console. I'm looking at the security advisories and I don't see one that seems to apply to my 8.2 system in my configuration. So, short of an exploit in the network stack, pf, and ftp-proxy, what is a possible attack vector? Regarding the security advisory lingo, does "unprivileged user" mean a remote attacker? Most (all?) of the advisories seem to involve local exploits or exploitable services. Regards, Jason C. Wells From owner-freebsd-chat@FreeBSD.ORG Thu Dec 12 16:33:27 2013 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F14C1190 for ; Thu, 12 Dec 2013 16:33:27 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id B431511C0 for ; Thu, 12 Dec 2013 16:33:27 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 8DAB573C7; Thu, 12 Dec 2013 16:33:26 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id D01801A48; Thu, 12 Dec 2013 17:33:28 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Jason C. Wells" Subject: Re: Rooted References: <52A6B07C.5050606@speakeasy.net> Date: Thu, 12 Dec 2013 17:33:28 +0100 In-Reply-To: <52A6B07C.5050606@speakeasy.net> (Jason C. Wells's message of "Mon, 09 Dec 2013 22:11:08 -0800") Message-ID: <86haaedo6f.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: fbsd_chat X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 16:33:28 -0000 "Jason C. Wells" writes: > Regarding the security advisory lingo, does "unprivileged user" mean a > remote attacker? Most (all?) of the advisories seem to involve local > exploits or exploitable services. The term "unprivileged user" implies access to the system - it is a catch-all term for user who can run programs on the system but do not have the necessary credentials to access any files or devices or control any processes not owned by themselves. A remote attacker would be explicitly labelled as such. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no