Date: Mon, 28 Jul 1997 08:36:52 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Vincent Poy <vince@mail.MCESTATE.COM> Cc: Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@FreeBSD.ORG, "[Mario1-]" <mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net> Subject: Re: security hole in FreeBSD Message-ID: <Pine.BSF.3.95q.970728082931.3000B-100000@cyrus.watson.org> In-Reply-To: <Pine.BSF.3.95.970728043652.3844F-100000@mail.MCESTATE.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 28 Jul 1997, Vincent Poy wrote:
> On Mon, 28 Jul 1997, Tomasz Dudziak wrote:
>
> =)Well it is possible that he has recompiled /usr/bin/login for example.
> =)Something like:
> =)if(strcmp(username, "blahblah")==0)
> =){
> =)setuid(0);
> =)setgid(0);
> =)system("/bin/sh");
> =)}
> =)inserted does the job. You are then invisible to w and others... bot not
> =)netstat i think...
>
> He wasn't invisible to netstat but he did do something that faked
> the hostname even in netstat.
In this case, the chances are he just inserted some dud DNS entries, or
simply set his in-addr.arpa to something nasty. There's nothing one can
do to prevent an authoritative name entry (trash or not) from being
accepted in DNS or DNSsec. One thing I would like to see is logging of IP
address *and* hostname in the logs. Both are useful, depending on the
situation. Due to the nature of TCP, IP addresses are fairly useful in
tracing an attack, but often, especially after a time delay, hostnames are
the only way to easily contact the maintainer of the IP address. Hostname
is also more useful in spotting attacks in the first place, as it's easy
for a user to tell when they've logged in from somewhere they haven't :).
BTW, does anyone know if there is a secure logging protocol? Syslog on
UDP seems a tad unreliable, not to mention opening one up from DoS. I log
to a loghost, and that machine could easily suffer DoS from log flooding,
etc. A simple signature arrangement using MD5 (HMAC?) similar to DNS TSIG
would be easy enough to arrange, and far more secure. I assume someone,
somewhere has written one, or implemented one, but I haven't been
following the Internet Draft releases to closely.
> =)There was a security hole some time ago in perl that allowed local users
> =)to gain root access... That's probably the way he got root access...
> =)I would check my binaries, sup and recompile.
>
> Hmmm, I supped the perl from the most recent ports tree and also
> all the binaries are about 2 months old from the -current tree. I thought
> the security hole was way before that. What I didn't get is how did he
> get access to the second system (earth) when he doesn't have a account
> there in the first place?
I'd be tempted to look in all the normal places -- sendmail, etc. What
daemons were running on the machine? Any web server processes? Also, I'd
heavily suspect that he sniffed a password if no encrypted telnet/ssh is
in use.. Any use of NIS going on? Also, .rhosts arrangements can be
extremely unhappy if we already know (s)he is messing with DNS entries.
Robert Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970728082931.3000B-100000>