From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 05:50:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20DBE16A4CE for ; Mon, 7 Jun 2004 05:50:15 +0000 (GMT) Received: from mx2.rbr.ru (ns2.rbr.ru [217.69.197.89]) by mx1.FreeBSD.org (Postfix) with SMTP id 7CF4843D1F for ; Mon, 7 Jun 2004 05:50:10 +0000 (GMT) (envelope-from mv@rbr.ru) Received: by mx2.rbr.ru (Postfix, from userid 1002) id AA65E111; Mon, 7 Jun 2004 09:50:01 +0400 (MSD) Received: from GWMAIL.bank.rbr.ru (unknown [172.20.0.7]) by mx2.rbr.ru (Postfix) with SMTP id 7E036E3 for ; Mon, 7 Jun 2004 09:50:01 +0400 (MSD) Received: from mv (mv.rbr.ru [172.20.0.34]) by GWMAIL.bank.rbr.ru; Mon, 07 Jun 2004 09:48:27 +0400 To: freebsd-security@freebsd.org References: <20040529190052.25D1916A4CF@hub.freebsd.org> Message-ID: From: "Michael Vlasov" Organization: RBR Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Date: Mon, 07 Jun 2004 09:49:51 +0400 In-Reply-To: <20040529190052.25D1916A4CF@hub.freebsd.org> User-Agent: Opera M2/7.50 (Win32, build 3658) Content-Transfer-Encoding: quoted-printable Subject: Re: freebsd-security Digest, Vol 61, Issue 3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 05:50:15 -0000 On Sat, 29 May 2004 12:00:52 -0700 (PDT), =20 wrote: Hello ! Today i see in snort logs : [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566 TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x75830001 Win: 0x0 TcpLen: 20 [Xref =3D> http://rr.sans.org/firewall/egress.php] [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 06/07-09:44:39.075824 127.0.0.1:80 -> 10.6.249.83:1299 TCP TTL:128 TOS:0x0 ID:578 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x568A0001 Win: 0x0 TcpLen: 20 [Xref =3D> http://rr.sans.org/firewall/egress.php] [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 06/07-09:44:39.107072 127.0.0.1:80 -> 10.6.96.121:1032 TCP TTL:128 TOS:0x0 ID:579 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x37920001 Win: 0x0 TcpLen: 20 [Xref =3D> http://rr.sans.org/firewall/egress.php] Why ? ;-) > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. X & securelevel=3D3 (bofn) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 29 May 2004 05:43:23 +0200 > From: "bofn" > Subject: X & securelevel=3D3 > To: freebsd-security@freebsd.org > Message-ID: > Content-Type: text/plain; charset=3D"ISO-8859-1" > > > running (4-Stable) > > Hi, > > short form question: > how does one run XDM under securelevel>0 ? > > long version: > i've searched for an answer on how to run Xfree/Xorg at a securelevel > the X server likes access to /dev/io and some other resources but is no= t > granted access after security is switched on. > one way of doing it seems to be to start it before setting the =20 > securelevel, but > then is doesnt allow a restart of X. > the other option seems to be the Aperture patch, ported in 2001 with no= =20 > recent > updates and no longer usable against the current software. > > 2nd part of the question.. > cd writing needs direct access to /dev/ and that is also not =20 > allowed in > secure more. > how can one give selective access to only allow (RW) access to one or t= wo > devices ? > > if there is no way of doing these things with configs and such, can =20 > anyone > point me at the relevant source code that controls these functions so i= =20 > can add > this specific functionality. > > > Cheers > * Anna > > > ------------------------------ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to =20 > "freebsd-security-unsubscribe@freebsd.org" > > End of freebsd-security Digest, Vol 61, Issue 3 > *********************************************** From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 06:10:51 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0A3816A4CE for ; Mon, 7 Jun 2004 06:10:51 +0000 (GMT) Received: from Neo-Vortex.Ath.Cx (203-217-84-45.dyn.iinet.net.au [203.217.84.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2096D43D1D for ; Mon, 7 Jun 2004 06:10:50 +0000 (GMT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i576AkBQ047126; Mon, 7 Jun 2004 16:10:47 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Mon, 7 Jun 2004 16:10:46 +1000 (EST) From: Neo-Vortex To: Michael Vlasov In-Reply-To: Message-ID: <20040607160728.A47101@Neo-Vortex.Ath.Cx> References: <20040529190052.25D1916A4CF@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 61, Issue 3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 06:10:52 -0000 On Mon, 7 Jun 2004, Michael Vlasov wrote: > On Sat, 29 May 2004 12:00:52 -0700 (PDT), > wrote: > > Hello ! > > Today i see in snort logs : > > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] > [Classification: Potentially Bad Traffic] [Priority: 2] > 06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566 > TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40 > ***A*R** Seq: 0x0 Ack: 0x75830001 Win: 0x0 TcpLen: 20 > [Xref => http://rr.sans.org/firewall/egress.php] > > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] > [Classification: Potentially Bad Traffic] [Priority: 2] > 06/07-09:44:39.075824 127.0.0.1:80 -> 10.6.249.83:1299 > TCP TTL:128 TOS:0x0 ID:578 IpLen:20 DgmLen:40 > ***A*R** Seq: 0x0 Ack: 0x568A0001 Win: 0x0 TcpLen: 20 > [Xref => http://rr.sans.org/firewall/egress.php] > > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] > [Classification: Potentially Bad Traffic] [Priority: 2] > 06/07-09:44:39.107072 127.0.0.1:80 -> 10.6.96.121:1032 > TCP TTL:128 TOS:0x0 ID:579 IpLen:20 DgmLen:40 > ***A*R** Seq: 0x0 Ack: 0x37920001 Win: 0x0 TcpLen: 20 > [Xref => http://rr.sans.org/firewall/egress.php] > > Why ? ;-) Ok, that means that someone (or thing) is spoofing packets to your box (i know, and so does snort, that its spoofed because the source ip is 127.0.0.1 and its coming in on an interface apart from lo0) this is sometimes used as a DoS attack (its one of those fun addresses to use as source addresses for them), although, by the looks of it (because theres multiple dst-ports being used), someone is using a program like nmap to portscan your host using a spoofed ip ~Neo-Vortex From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 06:39:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E351316A4CE for ; Mon, 7 Jun 2004 06:39:11 +0000 (GMT) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id A236D43D58 for ; Mon, 7 Jun 2004 06:39:11 +0000 (GMT) (envelope-from DougB@freebsd.org) Received: from lap (c-24-130-110-32.we.client2.attbi.com[24.130.110.32]) by comcast.net (sccrmhc13) with SMTP id <20040607063854016000kpdae>; Mon, 7 Jun 2004 06:39:08 +0000 Date: Sun, 6 Jun 2004 23:38:55 -0700 (PDT) From: Doug Barton To: Dan Rue In-Reply-To: <20040520033024.GA26640@therub.org> Message-ID: <20040606233720.F1850@ync.qbhto.arg> References: <20040518160517.GA10067@therub.org> <20040520033024.GA26640@therub.org> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: "freebsd-security@freebsd.org" cc: Remko Lodder cc: "David E. Meier" Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 06:39:12 -0000 On Wed, 19 May 2004, Dan Rue wrote: > You obviously havn't tried to chroot scponly users.. _that's_ the tricky > part. Especially if you want it to scale up beyond a handful of users. > If i'm wrong - fill me in i'd love to hear how to do it. Have you considered using ~/.ssh/authorized_keys to restrict the account from tty access? This would allow you to do commands (like scp) without the risk of the user getting an actual shell. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 20:39:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3920516A4D0 for ; Mon, 7 Jun 2004 20:39:47 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3D0243D48 for ; Mon, 7 Jun 2004 20:39:46 +0000 (GMT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-187-112.client.comcast.net[24.6.187.112]) by comcast.net (rwcrmhc11) with ESMTP id <2004060720394301300cn4nae>; Mon, 7 Jun 2004 20:39:44 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.11/8.12.8) with ESMTP id i57KdiJ5075977; Mon, 7 Jun 2004 13:39:44 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.11/8.12.11/Submit) id i57Kdhdi075976; Mon, 7 Jun 2004 13:39:43 -0700 (PDT) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Mon, 7 Jun 2004 13:39:43 -0700 From: "Crist J. Clark" To: Neo-Vortex Message-ID: <20040607203943.GB75747@blossom.cjclark.org> References: <20040529190052.25D1916A4CF@hub.freebsd.org> <20040607160728.A47101@Neo-Vortex.Ath.Cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040607160728.A47101@Neo-Vortex.Ath.Cx> User-Agent: Mutt/1.4.2.1i X-URL: http://people.freebsd.org/~cjc/ cc: Michael Vlasov cc: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 61, Issue 3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 20:39:47 -0000 On Mon, Jun 07, 2004 at 04:10:46PM +1000, Neo-Vortex wrote: > On Mon, 7 Jun 2004, Michael Vlasov wrote: > > > On Sat, 29 May 2004 12:00:52 -0700 (PDT), > > wrote: > > > > Hello ! > > > > Today i see in snort logs : > > > > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] > > [Classification: Potentially Bad Traffic] [Priority: 2] > > 06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566 > > TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40 > > ***A*R** Seq: 0x0 Ack: 0x75830001 Win: 0x0 TcpLen: 20 > > [Xref => http://rr.sans.org/firewall/egress.php] > > > > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] > > [Classification: Potentially Bad Traffic] [Priority: 2] > > 06/07-09:44:39.075824 127.0.0.1:80 -> 10.6.249.83:1299 > > TCP TTL:128 TOS:0x0 ID:578 IpLen:20 DgmLen:40 > > ***A*R** Seq: 0x0 Ack: 0x568A0001 Win: 0x0 TcpLen: 20 > > [Xref => http://rr.sans.org/firewall/egress.php] > > > > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] > > [Classification: Potentially Bad Traffic] [Priority: 2] > > 06/07-09:44:39.107072 127.0.0.1:80 -> 10.6.96.121:1032 > > TCP TTL:128 TOS:0x0 ID:579 IpLen:20 DgmLen:40 > > ***A*R** Seq: 0x0 Ack: 0x37920001 Win: 0x0 TcpLen: 20 > > [Xref => http://rr.sans.org/firewall/egress.php] > > > > Why ? ;-) > > Ok, that means that someone (or thing) is spoofing packets to your box > (i know, and so does snort, that its spoofed because the source ip is > 127.0.0.1 and its coming in on an interface apart from lo0) this is > sometimes used as a DoS attack (its one of those fun addresses to use as > source addresses for them), although, by the looks of it (because theres > multiple dst-ports being used), someone is using a program like nmap to > portscan your host using a spoofed ip The original post is not really on topic for this list. It is a general security incident question whereas the topic here should be more FreeBSD specific. That said, that traffic looks like Blaster backscatter. Early on in Blaster, there was some ill-conceived advice to map windowsupdate.com to 127.0.0.1 to prevent the DDoS. So what happens is that an infected host picks a random address "near" its own, in this case, it looks like the infected host is in 10.6.0.0/16, looks up the hostname to attack and gets 127.0.0.1. It sends a SYN to 127.0.0.1, which is itself, but odds are it has no HTTP server running, nothing listening on 80/tcpm so it replies with a RST to the source... the spoofed source... with the source of the RST being the destination of the SYN, 127.0.0.1. These RSTs are what you are seeing above. So, if this traffic is coming from some internal 10.16.0.0/16 network, it's time to go looking for a Blaster infection. If it is originating from the outside, not a lot you can do, but there is nothing harmful about it unless there is enough of this noise to eat significant resources. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 20:42:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0498016A4CE; Mon, 7 Jun 2004 20:42:00 +0000 (GMT) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8234643D1D; Mon, 7 Jun 2004 20:41:59 +0000 (GMT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-187-112.client.comcast.net[24.6.187.112]) by comcast.net (sccrmhc13) with ESMTP id <20040607204149016000guaue>; Mon, 7 Jun 2004 20:41:49 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.11/8.12.8) with ESMTP id i57KfoSD075998; Mon, 7 Jun 2004 13:41:50 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.11/8.12.11/Submit) id i57KfnDf075997; Mon, 7 Jun 2004 13:41:49 -0700 (PDT) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Mon, 7 Jun 2004 13:41:49 -0700 From: "Crist J. Clark" To: Doug Barton Message-ID: <20040607204149.GC75747@blossom.cjclark.org> References: <20040518160517.GA10067@therub.org> <20040520033024.GA26640@therub.org> <20040606233720.F1850@ync.qbhto.arg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040606233720.F1850@ync.qbhto.arg> User-Agent: Mutt/1.4.2.1i X-URL: http://people.freebsd.org/~cjc/ cc: "freebsd-security@freebsd.org" cc: Remko Lodder cc: "David E. Meier" cc: Dan Rue Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 20:42:00 -0000 On Sun, Jun 06, 2004 at 11:38:55PM -0700, Doug Barton wrote: > On Wed, 19 May 2004, Dan Rue wrote: > > >You obviously havn't tried to chroot scponly users.. _that's_ the tricky > >part. Especially if you want it to scale up beyond a handful of users. > >If i'm wrong - fill me in i'd love to hear how to do it. > > Have you considered using ~/.ssh/authorized_keys to restrict the account > from tty access? This would allow you to do commands (like scp) without > the risk of the user getting an actual shell. $ ssh host /bin/sh You don't need a tty to get an interactive shell. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 21:06:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8874916A4CE; Mon, 7 Jun 2004 21:06:50 +0000 (GMT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BA4743D48; Mon, 7 Jun 2004 21:06:50 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: by smtp.des.no (Pony Express, from userid 666) id 2449A5318; Mon, 7 Jun 2004 23:06:48 +0200 (CEST) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id AB2E1530D; Mon, 7 Jun 2004 23:06:14 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 112DF33C75; Mon, 7 Jun 2004 23:06:14 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Message-Id: <20040607210614.112DF33C75@dwp.des.no> Date: Mon, 7 Jun 2004 23:06:14 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: s X-Spam-Status: No, hits=1.8 required=5.0 tests=ADDR_FREE autolearn=no version=2.63 Subject: FreeBSD Security Advisory FreeBSD-SA-04:12.jailroute X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 21:06:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:12.jailroute Security Advisory The FreeBSD Project Topic: Jailed processes can manipulate host routing tables Category: core Module: kernel Announced: 2004-06-07 Credits: Pawel Malachowski Affects: All FreeBSD 4.x releases prior to 4.10-RELEASE Corrected: 2004-04-06 20:11:53 UTC (RELENG_4) 2004-06-07 17:44:44 UTC (RELENG_4_9, 4.9-RELEASE-p10) 2004-06-07 17:42:42 UTC (RELENG_4_8, 4.8-RELEASE-p23) CVE Name: CAN-2004-0125 FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock up a process and all its descendants inside a closed environment with very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more stringent than, the traditional Unix chroot(2) system call. The FreeBSD kernel maintains internal routing tables for the purpose of determining which interface should be used to transmit packets. These routing tables can be manipulated by user processes running with superuser privileges by sending messages over a routing socket. II. Problem Description A programming error resulting in a failure to verify that an attempt to manipulate routing tables originated from a non-jailed process. III. Impact Jailed processes running with superuser privileges could modify host routing tables. This could result in a variety of consequences including packets being sent via an incorrect network interface and packets being discarded entirely. IV. Workaround No workaround is available. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4.10-RELEASE, or to the RELENG_4_8 or RELENG_4_9 security branch dated after the correction date. OR 2) Patch your present system: The following patch has been verified to apply to the FreeBSD 4.8 and 4.9 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:12/jailroute.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:12/jailroute.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/net/rtsock.c 1.44.2.13 RELENG_4_9 src/UPDATING 1.73.2.89.2.11 src/sys/conf/newvers.sh 1.44.2.32.2.11 src/sys/net/rtsock.c 1.44.2.11.4.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.26 src/sys/conf/newvers.sh 1.44.2.29.2.24 src/sys/net/rtsock.c 1.44.2.11.2.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAxNfYFdaIBMps37IRAiU4AJ91d4MhEjkRL0PBddb/tuZoUsgh5QCgmRhN Xfy0St57y/HuS9TuQ2akEYI= =Tucm -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 22:56:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B73CF16A4CE for ; Mon, 7 Jun 2004 22:56:56 +0000 (GMT) Received: from sqnork.irq.org (q.xs4all.nl [194.109.236.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E52743D1F for ; Mon, 7 Jun 2004 22:56:55 +0000 (GMT) (envelope-from bofn@sqnork.irq.org) Received: by sqnork.irq.org (CommuniGate Pro PIPE 4.1.8) with PIPE id 3721445; Tue, 08 Jun 2004 00:56:38 +0200 X-MailScan: 7564953-0808528408 Received: from [203.97.83.98] (account bofn@sqnork.irq.org) by sqnork.irq.org (CommuniGate Pro WebUser 4.1.8) with HTTP id 3721433 for freebsd-security@freebsd.org; Tue, 08 Jun 2004 00:56:32 +0200 From: "bofn" To: freebsd-security@freebsd.org X-Mailer: CommuniGate Pro WebUser Interface v.4.1.8 Date: Tue, 08 Jun 2004 00:56:32 +0200 Message-ID: In-Reply-To: <20040607120110.D429C16A4D3@hub.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Subject: Re: X & securelevel=3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 22:56:56 -0000 > > running (4-Stable) > > > > Hi, > > > > short form question: > > how does one run XDM under securelevel>0 ? I've revived the Apature kernel patch for the 4-Stable kernels and put a flag in for mutex under 5-Stable, but have not and will not test that part. The Xorg package does support it with the right flag switched on.. So... the XDM under Seclevel is under control i will publish the new version of the patch once i've tested it a bit more. next one will be enabling access to /dev/<(a)cd0c> for CD writing. unless someone has a clever idea on how to do it ?! pointers and samples are welcome Cheers * Anna From owner-freebsd-security@FreeBSD.ORG Tue Jun 8 10:18:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C74816A4CE for ; Tue, 8 Jun 2004 10:18:49 +0000 (GMT) Received: from tx3.oucs.ox.ac.uk (tx3.oucs.ox.ac.uk [163.1.2.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E32F43D1F for ; Tue, 8 Jun 2004 10:18:46 +0000 (GMT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan3.oucs.ox.ac.uk ([163.1.2.166] helo=localhost) by tx3.oucs.ox.ac.uk with esmtp (Exim 4.24) id 1BXdgj-0007aE-Nb for freebsd-security@freebsd.org; Tue, 08 Jun 2004 11:18:37 +0100 Received: from rx3.oucs.ox.ac.uk ([163.1.2.165]) by localhost (scan3.oucs.ox.ac.uk [163.1.2.166]) (amavisd-new, port 25) with ESMTP id 28872-07 for ; Tue, 8 Jun 2004 11:18:37 +0100 (BST) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx3.oucs.ox.ac.uk with smtp (Exim 4.24) id 1BXdgj-0007a9-AA for freebsd-security@freebsd.org; Tue, 08 Jun 2004 11:18:37 +0100 Received: (qmail 23673 invoked by uid 1004); 8 Jun 2004 10:18:37 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.20 (clamscan: 0.67. sweep: 2.18/3.79. Clear:RC:1(163.1.161.131):. Processed in 0.356764 secs); 08 Jun 2004 10:18:37 -0000 Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 8 Jun 2004 10:18:36 -0000 Message-Id: <6.1.0.6.1.20040608105255.02e78ba0@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6 Date: Tue, 08 Jun 2004 11:18:34 +0100 To: freebsd-security@freebsd.org From: Colin Percival In-Reply-To: <20040607210614.112DF33C75@dwp.des.no> References: <20040607210614.112DF33C75@dwp.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:12.jailroute X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jun 2004 10:18:49 -0000 At 22:06 07/06/2004, FreeBSD Security Advisories wrote: >FreeBSD-SA-04:12.jailroute Security Advisory >Affects: All FreeBSD 4.x releases prior to 4.10-RELEASE As a few people have noted, this should read "FreeBSD 4.8 and 4.9"; this bug never existed in earlier versions of FreeBSD. That said, FreeBSD 4.7 and earlier are no longer officially supported, and it is highly recommended that people upgrade to a newer version, since there have been recent security advisories concerning issues to which earlier releases are still vulnerable. >V. Solution >Do one of the following: > >1) Upgrade your vulnerable system to 4.10-RELEASE, or to the RELENG_4_8 >or RELENG_4_9 security branch dated after the correction date. > >OR > >2) Patch your present system: or, as usual, 3) If you are running an affected release, you can use FreeBSD Update: # cd /usr/ports/security/freebsd-update && make all install # cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf # /usr/local/sbin/freebsd-update fetch # /usr/local/sbin/freebsd-update install For more details, see http://www.daemonology.net/freebsd-update/ . Note that this is something I'm providing personally; it is in no way endorsed by the Security Officer or the Project as a whole. Colin Percival From owner-freebsd-security@FreeBSD.ORG Tue Jun 8 19:26:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6768D16A4CE for ; Tue, 8 Jun 2004 19:26:40 +0000 (GMT) Received: from xraided.net (xraided.net [66.88.26.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A25543D1F for ; Tue, 8 Jun 2004 19:26:40 +0000 (GMT) (envelope-from kyle@xraided.net) Received: from [66.88.29.118] (account kyle HELO kyle) by xraided.net (CommuniGate Pro SMTP 4.1.8) with ESMTP id 1730439; Tue, 08 Jun 2004 12:26:40 -0700 From: "Kyle Mott" To: "'Colin Percival'" Date: Tue, 8 Jun 2004 12:26:36 -0700 Message-ID: <000801c44d8e$83e982f0$1414a8c0@kyle> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <6.1.0.6.1.20040608105255.02e78ba0@popserver.sfu.ca> cc: freebsd-security@freebsd.org Subject: RE: FreeBSD Security Advisory FreeBSD-SA-04:12.jailroute X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jun 2004 19:26:40 -0000 If we are running RELENG_4, will we still receive the fix? I ask because it says to upgrade to 4.10-RELEASE, RELENG_4_8, or RELENG_4_9. Am I misunderstanding the RELENG tags? -Kyle Mott > -----Original Message----- > From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd- > security@freebsd.org] On Behalf Of Colin Percival > Sent: Tuesday, June 08, 2004 3:19 AM > To: freebsd-security@freebsd.org > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:12.jailroute > > At 22:06 07/06/2004, FreeBSD Security Advisories wrote: > >FreeBSD-SA-04:12.jailroute Security > Advisory > >Affects: All FreeBSD 4.x releases prior to 4.10-RELEASE > > As a few people have noted, this should read "FreeBSD 4.8 and 4.9"; this > bug > never existed in earlier versions of FreeBSD. > That said, FreeBSD 4.7 and earlier are no longer officially supported, > and it > is highly recommended that people upgrade to a newer version, since there > have > been recent security advisories concerning issues to which earlier > releases are > still vulnerable. > > >V. Solution > > >Do one of the following: > > > >1) Upgrade your vulnerable system to 4.10-RELEASE, or to the RELENG_4_8 > >or RELENG_4_9 security branch dated after the correction date. > > > >OR > > > >2) Patch your present system: > > or, as usual, > > 3) If you are running an affected release, you can use FreeBSD Update: > # cd /usr/ports/security/freebsd-update && make all install > # cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd- > update.conf > # /usr/local/sbin/freebsd-update fetch > # /usr/local/sbin/freebsd-update install > > For more details, see http://www.daemonology.net/freebsd-update/ . > > Note that this is something I'm providing personally; it is in no way > endorsed by the Security Officer or the Project as a whole. > > Colin Percival > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security- > unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Jun 8 19:33:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5A1816A4CE for ; Tue, 8 Jun 2004 19:33:40 +0000 (GMT) Received: from tx1.oucs.ox.ac.uk (tx1.oucs.ox.ac.uk [129.67.1.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id F28B943D46 for ; Tue, 8 Jun 2004 19:33:39 +0000 (GMT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan1.oucs.ox.ac.uk ([129.67.1.166] helo=localhost) by tx1.oucs.ox.ac.uk with esmtp (Exim 4.24) id 1BXmLq-0005Zt-JK for freebsd-security@freebsd.org; Tue, 08 Jun 2004 20:33:39 +0100 Received: from rx1.oucs.ox.ac.uk ([129.67.1.165]) by localhost (scan1.oucs.ox.ac.uk [129.67.1.166]) (amavisd-new, port 25) with ESMTP id 21367-02 for ; Tue, 8 Jun 2004 20:33:38 +0100 (BST) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx1.oucs.ox.ac.uk with smtp (Exim 4.24) id 1BXmLq-0005Zo-5v for freebsd-security@freebsd.org; Tue, 08 Jun 2004 20:33:38 +0100 Received: (qmail 30422 invoked by uid 1004); 8 Jun 2004 19:33:38 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.20 (clamscan: 0.67. sweep: 2.18/3.79. Clear:RC:1(163.1.161.131):. Processed in 0.14466 secs); 08 Jun 2004 19:33:38 -0000 Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 8 Jun 2004 19:33:38 -0000 Message-Id: <6.1.0.6.1.20040608202851.0408c9c8@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6 Date: Tue, 08 Jun 2004 20:33:34 +0100 To: "Kyle Mott" From: Colin Percival In-Reply-To: <000801c44d8e$83e982f0$1414a8c0@kyle> References: <6.1.0.6.1.20040608105255.02e78ba0@popserver.sfu.ca> <000801c44d8e$83e982f0$1414a8c0@kyle> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@freebsd.org Subject: RE: FreeBSD Security Advisory FreeBSD-SA-04:12.jailroute X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jun 2004 19:33:40 -0000 At 20:26 08/06/2004, Kyle Mott wrote: >If we are running RELENG_4, will we still receive the fix? I ask because >it says to upgrade to 4.10-RELEASE, RELENG_4_8, or RELENG_4_9. Am I >misunderstanding the RELENG tags? This was fixed in RELENG_4 in April: >Corrected: 2004-04-06 20:11:53 UTC (RELENG_4) So yes, if you upgrade to the latest -STABLE now, this problem will be fixed. Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Jun 9 12:03:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97A1116A4CE; Wed, 9 Jun 2004 12:03:27 +0000 (GMT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8812D43D41; Wed, 9 Jun 2004 12:03:27 +0000 (GMT) (envelope-from DougB@freebsd.org) Received: from lap (c-24-130-110-32.we.client2.attbi.com[24.130.110.32]) by comcast.net (rwcrmhc12) with SMTP id <2004060912030101400buj8be>; Wed, 9 Jun 2004 12:03:11 +0000 Date: Wed, 9 Jun 2004 05:03:02 -0700 (PDT) From: Doug Barton To: "Crist J. Clark" In-Reply-To: <20040607204149.GC75747@blossom.cjclark.org> Message-ID: <20040609050217.Q5839@ync.qbhto.arg> References: <20040518160517.GA10067@therub.org> <20040606233720.F1850@ync.qbhto.arg> <20040607204149.GC75747@blossom.cjclark.org> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: "freebsd-security@freebsd.org" cc: Remko Lodder cc: "David E. Meier" cc: Dan Rue Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2004 12:03:27 -0000 On Mon, 7 Jun 2004, Crist J. Clark wrote: > On Sun, Jun 06, 2004 at 11:38:55PM -0700, Doug Barton wrote: >> On Wed, 19 May 2004, Dan Rue wrote: >> >>> You obviously havn't tried to chroot scponly users.. _that's_ the tricky >>> part. Especially if you want it to scale up beyond a handful of users. >>> If i'm wrong - fill me in i'd love to hear how to do it. >> >> Have you considered using ~/.ssh/authorized_keys to restrict the account >> from tty access? This would allow you to do commands (like scp) without >> the risk of the user getting an actual shell. > > $ ssh host /bin/sh > > You don't need a tty to get an interactive shell. You can also enforce what commands the user can run to prevent this. Read sshd(8) for more information. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 11:16:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CFD716A4CE for ; Sat, 12 Jun 2004 11:16:32 +0000 (GMT) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 752F443D2D for ; Sat, 12 Jun 2004 11:16:31 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from peter (Ucto [192.168.1.53]) by ns.pro.sk (8.12.9p2/8.12.9) with SMTP id i5CBFjQA012972 for ; Sat, 12 Jun 2004 13:15:45 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <016301c4506e$947644e0$3501a8c0@pro.sk> From: "Peter Rosa" To: "FreeBSD Security" Date: Sat, 12 Jun 2004 13:15:33 +0200 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 11:16:32 -0000 Hi all, please advice me - I was on holidays for one week. After return I found in security mails from router (chkrootkit) following message: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed It apeared only onece. From previous and next days reports, the message is not present. How could I be sure, the machine is not hacked ? Many thanks for any response. Peter Rosa From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 11:45:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53F3C16A4CE for ; Sat, 12 Jun 2004 11:45:13 +0000 (GMT) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94B6443D2D for ; Sat, 12 Jun 2004 11:45:12 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from peter (Ucto [192.168.1.53]) by ns.pro.sk (8.12.9p2/8.12.9) with SMTP id i5CBivQA013285 for ; Sat, 12 Jun 2004 13:44:57 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <019101c45072$a8b9cfe0$3501a8c0@pro.sk> From: "Peter Rosa" To: "FreeBSD Security" Date: Sat, 12 Jun 2004 13:44:45 +0200 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Hacked or not appendice X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 11:45:13 -0000 Hi all again, I must add, there are no log entries after June 9, 2004. "LKM" message first apeared June 8, 2004, after this day, there is nothing in /var/messages, /var/security ..... How could I look for suspicious LKM module ? How could I find it, if the machine is hacked and I can not believe "ls", "find" etc. commands ? Peter Rosa From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 11:47:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A0EF16A4CE for ; Sat, 12 Jun 2004 11:47:12 +0000 (GMT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id D31F643D53 for ; Sat, 12 Jun 2004 11:47:10 +0000 (GMT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])i5CBl6S18587; Sat, 12 Jun 2004 13:47:06 +0200 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id C853EB887; Sat, 12 Jun 2004 13:47:00 +0200 (CEST) Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 25181-02; Sat, 12 Jun 2004 13:47:00 +0200 (CEST) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 9FEA1B886; Sat, 12 Jun 2004 13:47:00 +0200 (CEST) Date: Sat, 12 Jun 2004 13:47:00 +0200 To: Peter Rosa Message-ID: <20040612114700.GA1082@lupe-christoph.de> References: <016301c4506e$947644e0$3501a8c0@pro.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <016301c4506e$947644e0$3501a8c0@pro.sk> User-Agent: Mutt/1.5.5.1+cvs20040105i From: lupe@lupe-christoph.de (Lupe Christoph) X-Virus-Scanned: by amavisd-new-20030616-p7 (Debian) at lupe-christoph.de cc: FreeBSD Security Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 11:47:12 -0000 On Saturday, 2004-06-12 at 13:15:33 +0200, Peter Rosa wrote: > please advice me - I was on holidays for one week. After return I found in > security mails from router (chkrootkit) following message: > Checking `lkm'... You have 1 process hidden for readdir command > You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > It apeared only onece. From previous and next days reports, the message is > not present. This is an artifact. chkrootkit uses two methods to look at the running processes - ps and /proc. When a process terminates between the two runs, you will get this. I see it at irregular intervals on all my machines that run chkrootkit. But if your machine is critical, running chkrootkit once daily is not enough. This gives a cracker too much time to nest in. Run it at least every hour. Are you running an integrity checker like AIDE, Tripwire, etc? > How could I be sure, the machine is not hacked ? You can't. Not in general. chkrootkit goes only so far. Always assume the worst. But don't panick. HTH, Lupe Christoph PS: Flames that this is not a security help mailing list to /dev/null, please. If you want to flame me, put the energy into creating a freebsd-security-help mailing list instead. -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas | From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 12:02:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7483616A4CE for ; Sat, 12 Jun 2004 12:02:01 +0000 (GMT) Received: from ajax.achean.com (ajax.achean.com [212.87.82.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDE7943D53 for ; Sat, 12 Jun 2004 12:02:00 +0000 (GMT) (envelope-from jon.mercer@achean.com) Received: from ajax.achean.com (ajax.achean.com [212.87.82.16]) by ajax.achean.com (8.12.11/8.12.11) with ESMTP id i5CC1cVJ003581 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 12 Jun 2004 13:01:38 +0100 (BST) (envelope-from jon.mercer@achean.com) Received: (from www@localhost) by ajax.achean.com (8.12.11/8.12.11/Submit) id i5CC1c2a003580; Sat, 12 Jun 2004 13:01:38 +0100 (BST) (envelope-from jon.mercer@achean.com) X-Authentication-Warning: ajax.achean.com: www set sender to jon.mercer@achean.com using -f Received: from 217.155.191.90 (SquirrelMail authenticated user jon.mercer) by webmail.achean.com with HTTP; Sat, 12 Jun 2004 13:01:38 +0100 (BST) Message-ID: <55017.217.155.191.90.1087041698.squirrel@webmail.achean.com> Date: Sat, 12 Jun 2004 13:01:38 +0100 (BST) From: jon.mercer@achean.com To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 1 Importance: High X-Virus-Scanned: clamd / ClamAV version devel-20040529, clamav-milter version 0.71 X-Virus-Status: Clean X-Spam-Status: No, hits=1.6 required=5.0 tests=NO_REAL_NAME,PRIORITY_NO_NAME, X_PRIORITY_HIGH autolearn=no version=2.63-achean_mailfilter_v1.00 X-Spam-Report: * 0.5 X_PRIORITY_HIGH Sent with 'X-Priority' set to high * 0.3 NO_REAL_NAME From: does not include a real name * 0.8 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 2.63-achean_mailfilter_v1.00 (2004-01-11) on ajax.achean.com Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 12:02:01 -0000 I have seen this as well, it is most likely a false positive. Additionally, slower or more heavily loaded machines seem more likely to generate false positive for LKM. As a side note, there really ought to be a way for admins to double check the output from chkrootkit Google helps little. Any offers..? Jon > Hi all, > > please advice me - I was on holidays for one week. After return I found in security mails from router (chkrootkit) following message: > Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > > It apeared only onece. From previous and next days reports, the message is not present. > > How could I be sure, the machine is not hacked ? > > Many thanks for any response. > > Peter Rosa > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 12:39:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 905B716A4CE for ; Sat, 12 Jun 2004 12:39:35 +0000 (GMT) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4F5B43D41 for ; Sat, 12 Jun 2004 12:39:34 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from peter (Ucto [192.168.1.53]) by ns.pro.sk (8.12.9p2/8.12.9) with SMTP id i5CCdWQA013851; Sat, 12 Jun 2004 14:39:32 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <01b701c4507a$49399840$3501a8c0@pro.sk> From: "Peter Rosa" To: "Lupe Christoph" References: <016301c4506e$947644e0$3501a8c0@pro.sk> <20040612114700.GA1082@lupe-christoph.de> Date: Sat, 12 Jun 2004 14:39:21 +0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) cc: FreeBSD Security Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 12:39:35 -0000 Yes, it runs Tripwire. There is nothing unusual in it's logs. I wanted to have some sureness. That message NEVER apeared on that machine before and chkrootkit is running about one year. In the same time I found some trojans originating from web sites on another Windoze machine on my network. So I got scared if my router couldn't be hacked. May be, the "LKM" message was done because of some process terminated as you wrote. It's also used as a mailserver with AV daemons, so there are such "temporary" processes. But what about the /var/log/messages logs absence ? And, how to test the machine, if it is healthy ? Peter Rosa P.S Sorry, if this is not the PROPER list, but I'm a member of few another lists and this one seems as proper as possible for me. It's about SECURITY, isn't it ? From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 13:07:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A82B16A4CE for ; Sat, 12 Jun 2004 13:07:05 +0000 (GMT) Received: from smtp.mi.is (smtp.mi.is [217.151.180.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6A5D43D1F for ; Sat, 12 Jun 2004 13:07:04 +0000 (GMT) (envelope-from thib@mi.is) Received: from caulfield (bofh.bitcode.org [217.151.165.254]) by smtp.mi.is (8.12.10/8.12.10/1.0.1) with SMTP id i5CD2p27019707 for ; Sat, 12 Jun 2004 13:02:51 GMT Date: Sat, 12 Jun 2004 13:03:07 +0000 From: Thordur Ivar To: freebsd-security@freebsd.org Message-Id: <20040612130307.2c4483cb.thib@mi.is> In-Reply-To: <019101c45072$a8b9cfe0$3501a8c0@pro.sk> References: <019101c45072$a8b9cfe0$3501a8c0@pro.sk> Organization: n/a X-Mailer: Sylpheed version 0.9.10 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Hacked or not appendice X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 13:07:05 -0000 I have on a CD a number of binarys ( sources actually ) ( e.g. ls, find, grep, awk, sed, locate e.t.c. ) and when I belive that a machine has been cracked I remove the network cable from that machine and mount the cdrom build the sources and start looking. If I need something in that process I put it on my USB memstick from a 'trusted machine' and move it by hand over. Roughly speaking this is my process. >On Sat, 12 Jun 2004 13:44:45 +0200 >"Peter Rosa" wrote: > Hi all again, > > I must add, there are no log entries after June 9, 2004. "LKM" message first > apeared June 8, 2004, after this day, there is nothing in /var/messages, > /var/security ..... > > How could I look for suspicious LKM module ? How could I find it, if the > machine is hacked and I can not believe "ls", "find" etc. commands ? > > Peter Rosa > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 13:46:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 989FA16A4CE for ; Sat, 12 Jun 2004 13:46:34 +0000 (GMT) Received: from techno.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 5BA7743D48 for ; Sat, 12 Jun 2004 13:46:33 +0000 (GMT) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 46512 invoked by uid 0); 12 Jun 2004 13:45:32 -0000 Received: from webmail.sub.ru (HELO tarkhil.over.ru) (213.247.139.22) by techno.sub.ru with SMTP; 12 Jun 2004 13:45:32 -0000 Date: Sat, 12 Jun 2004 17:45:29 +0400 From: Alex Povolotsky To: freebsd-security@freebsd.org Message-Id: <20040612174529.0dc73ac9@tarkhil.over.ru> In-Reply-To: <20040612130307.2c4483cb.thib@mi.is> References: <019101c45072$a8b9cfe0$3501a8c0@pro.sk> <20040612130307.2c4483cb.thib@mi.is> Organization: sub.ru X-Mailer: Sylpheed version 0.9.9claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Hacked or not appendice X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 13:46:34 -0000 On Sat, 12 Jun 2004 13:03:07 +0000 Thordur Ivar wrote: TI> I have on a CD a number of binarys ( sources actually ) ( e.g. ls, TI> find, grep, awk, sed, locate e.t.c. ) and when I belive that a TI> machine has been cracked I remove the network cable from that TI> machine and mount the cdrom build the sources and start looking. If TI> I need something in that process I put it on my USB memstick from a TI> 'trusted machine' and move it by hand over. When I was unable to do the same thing, I've recompiled md5 tool from freshly fetched sources and used it to test utilities. I don't beleive in attacker catching thr build process transparently... -- Alex. From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 13:52:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8706816A4CE for ; Sat, 12 Jun 2004 13:52:14 +0000 (GMT) Received: from techno.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 884BA43D5A for ; Sat, 12 Jun 2004 13:52:13 +0000 (GMT) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 48883 invoked by uid 0); 12 Jun 2004 13:50:35 -0000 Received: from webmail.sub.ru (HELO tarkhil.over.ru) (213.247.139.22) by techno.sub.ru with SMTP; 12 Jun 2004 13:50:35 -0000 Date: Sat, 12 Jun 2004 17:50:35 +0400 From: Alex Povolotsky To: freebsd-security@freebsd.org Message-Id: <20040612175035.739bbfa4@tarkhil.over.ru> In-Reply-To: <01b701c4507a$49399840$3501a8c0@pro.sk> References: <016301c4506e$947644e0$3501a8c0@pro.sk> <20040612114700.GA1082@lupe-christoph.de> <01b701c4507a$49399840$3501a8c0@pro.sk> Organization: sub.ru X-Mailer: Sylpheed version 0.9.9claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 13:52:14 -0000 On Sat, 12 Jun 2004 14:39:21 +0200 "Peter Rosa" wrote: PR> But what about the /var/log/messages logs absence ? PR> And, how to test the machine, if it is healthy ? Boot from CD and compare md5 checksums on system files. That's the first step. Compare your kernel sources with clean ones, rebuild kernel and compare it with the running one. If you're running GENERIC, compare it with the distributed one. Compare /modules directory with distribution one. Check your (and system) .profile or .login etc. After this step, you should have reasonably clean system. -- Alex. From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 14:08:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C77116A4CE for ; Sat, 12 Jun 2004 14:08:09 +0000 (GMT) Received: from smtp810.mail.sc5.yahoo.com (smtp810.mail.sc5.yahoo.com [66.163.170.80]) by mx1.FreeBSD.org (Postfix) with SMTP id BE83C43D55 for ; Sat, 12 Jun 2004 14:08:09 +0000 (GMT) (envelope-from fscked@pacbell.net) Received: from unknown (HELO pacbell.net) (fscked@pacbell.net@67.124.120.100 with plain) by smtp810.mail.sc5.yahoo.com with SMTP; 12 Jun 2004 14:07:05 -0000 Message-ID: <40CB0D86.9080905@pacbell.net> Date: Sat, 12 Jun 2004 07:04:54 -0700 From: richard childers / kg6hac Organization: Daemonized Networking Services - http://www.daemonized.com User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20040612120107.1D3F116A4E6@hub.freebsd.org> In-Reply-To: <20040612120107.1D3F116A4E6@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: How do I tell I was hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fscked@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 14:08:10 -0000 > > >Date: Sat, 12 Jun 2004 13:15:33 +0200 >From: "Peter Rosa" >Subject: Hacked or not ? >To: "FreeBSD Security" >Message-ID: <016301c4506e$947644e0$3501a8c0@pro.sk> > >Hi all, > >please advice me - I was on holidays for one week. After return I found in >security mails from router (chkrootkit) following message: >Checking `lkm'... You have 1 process hidden for readdir command >You have 1 process hidden for ps command >Warning: Possible LKM Trojan installed > >It apeared only onece. From previous and next days reports, the message is >not present. > >How could I be sure, the machine is not hacked ? > > [1] Make backups. tar(1), dump(8), doesn't matter. [2] Reinstall identical operating system on new equipment. [3] Restore backups into large partition sized for this operation (call it '/backups'). [4] Compare the contents of each directory in /backups recursively against a known good copy, For example, to compare /usr against the backed-up image, do this: # diff -r /usr /backups/usr [5] Review the list for files which differ or which do not exist on the known good copy. [6] Exclude files for which there are good reasons for difference (IE, logs and state files). [7] Analyze the resulting files; pay particular attention to executables, but also libraries. You may also find it useful to reload the old operating system onto a box on an insulated network and monitor the operating system, its processes and its network traffic, using known good tools. Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.4 (FreeBSD) mQGiBECGpfsRBACoPJJfIIrWAqjlW92TtYCtY//e7OW8alWylr/1ygtSQzjCCdvC Ysa0fCcx01UenlWV+5YY/zC7KPsX2rQUKAs20fqs9et74dmgMGOj0vMjTzWEs29G FyAsIRSpFioa8zzrjXEUVnU6OFaD9a9eaC+LSTCiKgXjbQySDKM5T1c+vwCg8W3Y RZ83LRIUULGMPlY6zS4fQwUEAIIiTHDdWpbE+HeREJwH+4eDpGVf76XtNlOMXrt9 tJ3ExL+9ezLulg1nCrOYodOB7TEZqzV40R7emDZSX0hI9QEBCv6nW5aDVpw/bf+q UEHwxrUvE2LBi35hoqR2QwqNlagOauSorWj8Qm/31luxJVeLVy1A1czp6B/mvG1T co03A/9a5kzEAebJ5TzWXQC2/4gu/osXQnrw9B9FFpYOtLc0MNQuAFt8VLn5yO5Q 8T58w+FQvFI5FqzI5URmjQeEyWWuyIechknk4RnwIO1UPVjgRTuNgf9/TvNNfqpa aVlbNp+AG21D6VqsFN2zJFFJeUqiYdXw6i+ESL3SZRymIhwYWrQ8UmljaGFyZCBB IENoaWxkZXJzICh3d3cuZGFlbW9uaXplZC5jb20pIDxmc2NrZWRAcGFjYmVsbC5u ZXQ+iF4EExECAB4FAkCGpfsCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQjGqW TlNTP66KzQCgjf0SQbiK1rgu7hRsmLPSSaGF7X8AoL7Qw/E9kTZr0fntP0XXEnk/ q6nRuQINBECGpvkQCADFzFq+kYbk+KTIhcVBTjTWDbBnjGgmuGR3LGp9hOd6W9SJ i4GD5184ZnMbEgvDZcDEGDNgMcU+f1girwYI2v/o7QA7VQ5bpUbnfOBytzO+bvd7 uCOyJltg8AG5MFLxfhAMHofpNxGlFTEXdVp4M9xyBB+hdLHbJNJqkMGPf+iCUf1W Q86KncU2AK4Sf9I+WYBZwkjaIhi9dQzeEX1c0Um6LxXSBtkjZprIk1M13gVaIJ6E dDN6hrSMbXZL+7yURw38vHXCtRJAKEOyW178rI8MzJzvVNhobvC62uEWD9Idz8sH 5A06fqb2fKJYLQ1keGUpb/qpny7oTmAe0Hx9jOM7AAMGCACdTe1M4U++/7/OVGip 1gnWEtMhHeQQbS7KPh1w8/1kvs5Mml6uGYQI44lKTDP7OHJQ9hIT/+5tfKPHIPhU M/7Mqa8y81c/AK+WUOyY9+uZ0zUxFGMqeU9z5iqJFWSi9QR/f5q/khfmqi5RFVyQ nnVhxBMB8pY1vZHV1CoL7NLK4c/N8mpwCiZ57LTsP8pLfDMWF/OopmM2ulzlfWTr anAdxQohenq/zTgSySX/VGZYSYvyAoXTRuU4USAVGWcUQPnVooA1N7lZP3pawjNP QMSukx9jI1673BPsPXxyQZ1PmmPt9eHKI0G0hNJG+FCmSRLNT/R7hqTzTUmpgMWM yyWPiEkEGBECAAkFAkCGpvkCGwwACgkQjGqWTlNTP642KACeITHq0b42P3oMX7Nj F5U3EaqCgYoAn3HxUB7ELB6vMUugW4aSmZpBJOR6 =ZaJO -----END PGP PUBLIC KEY BLOCK----- From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 14:08:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B94416A4CE for ; Sat, 12 Jun 2004 14:08:53 +0000 (GMT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3222B43D1F for ; Sat, 12 Jun 2004 14:08:52 +0000 (GMT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])i5CE7CS20254; Sat, 12 Jun 2004 16:07:12 +0200 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id AE3BAB942; Sat, 12 Jun 2004 16:07:06 +0200 (CEST) Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 16907-01-6; Sat, 12 Jun 2004 16:07:06 +0200 (CEST) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 9266FB886; Sat, 12 Jun 2004 16:07:06 +0200 (CEST) Date: Sat, 12 Jun 2004 16:07:06 +0200 To: Peter Rosa Message-ID: <20040612140706.GB1082@lupe-christoph.de> References: <019101c45072$a8b9cfe0$3501a8c0@pro.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <019101c45072$a8b9cfe0$3501a8c0@pro.sk> User-Agent: Mutt/1.5.5.1+cvs20040105i From: lupe@lupe-christoph.de (Lupe Christoph) X-Virus-Scanned: by amavisd-new-20030616-p7 (Debian) at lupe-christoph.de cc: FreeBSD Security Subject: Re: Hacked or not appendice X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 14:08:53 -0000 On Saturday, 2004-06-12 at 13:44:45 +0200, Peter Rosa wrote: > I must add, there are no log entries after June 9, 2004. "LKM" message first > apeared June 8, 2004, after this day, there is nothing in /var/messages, > /var/security ..... Check if your syslog deamon is running. Also try to log something from the command line with logger. > How could I look for suspicious LKM module ? How could I find it, if the > machine is hacked and I can not believe "ls", "find" etc. commands ? Dunno. I've turned off modules on all my FreeBSD machines. IIRC, the way to check binaries is to "make buildworld", install somewhere else and compare. Of course, you should not build on a suspect machine. Have you turned on securelevel? HTH, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas | From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 21:29:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D87C816A4CE for ; Sat, 12 Jun 2004 21:29:39 +0000 (GMT) Received: from mail006.syd.optusnet.com.au (mail006.syd.optusnet.com.au [211.29.132.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id D23D143D48 for ; Sat, 12 Jun 2004 21:29:38 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) i5CLTRx15561; Sun, 13 Jun 2004 07:29:27 +1000 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])i5CLTQVd035021; Sun, 13 Jun 2004 07:29:26 +1000 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)i5CLTQDj035020; Sun, 13 Jun 2004 07:29:26 +1000 (EST) (envelope-from pjeremy) Date: Sun, 13 Jun 2004 07:29:26 +1000 From: Peter Jeremy To: Thordur Ivar Message-ID: <20040612212926.GL1596@cirb503493.alcatel.com.au> References: <019101c45072$a8b9cfe0$3501a8c0@pro.sk> <20040612130307.2c4483cb.thib@mi.is> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040612130307.2c4483cb.thib@mi.is> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: Hacked or not appendice X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 21:29:40 -0000 On Sat, 2004-Jun-12 13:03:07 +0000, Thordur Ivar wrote: >I have on a CD a number of binarys ( sources actually ) ( e.g. ls, >find, grep, awk, sed, locate e.t.c. ) and when I belive that a >machine has been cracked I remove the network cable from that machine >and mount the cdrom build the sources and start looking. If I need >something in that process I put it on my USB memstick from a 'trusted >machine' and move it by hand over. [Please wrap your mail before 80 characters] Why would you trust the toolchain on a potentially hacked machine? There's an old paper by Ken Thompson that dicusses patching the C compiler to recognize the login sources and re-introduce a backdoor - even it was removed from the login sources. You would be much better off booting a fixit CD-ROM and using that rather than trusting anything on the potentially hacked system. -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 23:54:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32C1B16A4CE for ; Sat, 12 Jun 2004 23:54:43 +0000 (GMT) Received: from mail.elvandar.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E64143D1D for ; Sat, 12 Jun 2004 23:54:40 +0000 (GMT) (envelope-from remko@elvandar.org) Received: from [10.0.3.124] (aragorn.lan.elvandar.intranet [10.0.3.124]) by mail.elvandar.org (Postfix) with ESMTP id 960F8106878; Sun, 13 Jun 2004 01:54:07 +0200 (CEST) Message-ID: <40CB97A0.3040407@elvandar.org> Date: Sun, 13 Jun 2004 01:54:08 +0200 From: Remko Lodder X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Jeremy References: <019101c45072$a8b9cfe0$3501a8c0@pro.sk> <20040612130307.2c4483cb.thib@mi.is> <20040612212926.GL1596@cirb503493.alcatel.com.au> In-Reply-To: <20040612212926.GL1596@cirb503493.alcatel.com.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at elvandar.org cc: freebsd-security@freebsd.org cc: Thordur Ivar Subject: Re: [Freebsd-security] Re: Hacked or not appendice X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 23:54:43 -0000 Hey Peter Jeremy wrote: > > [Please wrap your mail before 80 characters] > > Why would you trust the toolchain on a potentially hacked machine? > There's an old paper by Ken Thompson that dicusses patching the C > compiler to recognize the login sources and re-introduce a backdoor - > even it was removed from the login sources. > > You would be much better off booting a fixit CD-ROM and using that > rather than trusting anything on the potentially hacked system. Indeed, one should make a backup copy (if possible) of the potentially hacked computer (Drive) and take the machine offline. Then insert the backupdisk in a other pc, (or the same, with the original hd stored safely) and startup your Live-cd kit (which can be a freebsd version from cd, or linux). Make sure that the tools necessary are on the live cd;-) and to forensics (tct might help (The Coroners Toolkit).. After finding out what happened, format the disk, and reinstall from scratch, be hostile to every config file and stuff you backupped, because you might not be able to tell when the potential hack took place..... Cheers :-) > -- Kind regards, Remko Lodder |remko@elvandar.org Reporter DSINet |remko@dsinet.org Projectleader Mostly-Harmless |remko@mostly-harmless.nl