From owner-freebsd-security Mon Jul 28 05:37:36 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA00659 for security-outgoing; Mon, 28 Jul 1997 05:37:36 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA00650 for ; Mon, 28 Jul 1997 05:37:31 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id IAA03043; Mon, 28 Jul 1997 08:36:53 -0400 (EDT) Date: Mon, 28 Jul 1997 08:36:52 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Vincent Poy cc: Tomasz Dudziak , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Tomasz Dudziak wrote: > > =)Well it is possible that he has recompiled /usr/bin/login for example. > =)Something like: > =)if(strcmp(username, "blahblah")==0) > =){ > =)setuid(0); > =)setgid(0); > =)system("/bin/sh"); > =)} > =)inserted does the job. You are then invisible to w and others... bot not > =)netstat i think... > > He wasn't invisible to netstat but he did do something that faked > the hostname even in netstat. In this case, the chances are he just inserted some dud DNS entries, or simply set his in-addr.arpa to something nasty. There's nothing one can do to prevent an authoritative name entry (trash or not) from being accepted in DNS or DNSsec. One thing I would like to see is logging of IP address *and* hostname in the logs. Both are useful, depending on the situation. Due to the nature of TCP, IP addresses are fairly useful in tracing an attack, but often, especially after a time delay, hostnames are the only way to easily contact the maintainer of the IP address. Hostname is also more useful in spotting attacks in the first place, as it's easy for a user to tell when they've logged in from somewhere they haven't :). BTW, does anyone know if there is a secure logging protocol? Syslog on UDP seems a tad unreliable, not to mention opening one up from DoS. I log to a loghost, and that machine could easily suffer DoS from log flooding, etc. A simple signature arrangement using MD5 (HMAC?) similar to DNS TSIG would be easy enough to arrange, and far more secure. I assume someone, somewhere has written one, or implemented one, but I haven't been following the Internet Draft releases to closely. > =)There was a security hole some time ago in perl that allowed local users > =)to gain root access... That's probably the way he got root access... > =)I would check my binaries, sup and recompile. > > Hmmm, I supped the perl from the most recent ports tree and also > all the binaries are about 2 months old from the -current tree. I thought > the security hole was way before that. What I didn't get is how did he > get access to the second system (earth) when he doesn't have a account > there in the first place? I'd be tempted to look in all the normal places -- sendmail, etc. What daemons were running on the machine? Any web server processes? Also, I'd heavily suspect that he sniffed a password if no encrypted telnet/ssh is in use.. Any use of NIS going on? Also, .rhosts arrangements can be extremely unhappy if we already know (s)he is messing with DNS entries. Robert Watson