From owner-freebsd-questions@FreeBSD.ORG Wed Jan 18 13:56:29 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 692E116A41F for ; Wed, 18 Jan 2006 13:56:29 +0000 (GMT) (envelope-from hagemann1@egs.uct.ac.za) Received: from janeway.egs.uct.ac.za (janeway.egs.uct.ac.za [196.21.8.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2910C43D55 for ; Wed, 18 Jan 2006 13:56:27 +0000 (GMT) (envelope-from hagemann1@egs.uct.ac.za) Received: from [196.21.8.146] (helo=particle.egs.uct.ac.za) by janeway.egs.uct.ac.za with esmtp (Exim 3.36 #4) id 1EzDnU-00035y-00 for freebsd-questions@freebsd.org; Wed, 18 Jan 2006 15:56:24 +0200 From: Kilian Hagemann Organization: University of Cape Town To: freebsd-questions@freebsd.org Date: Wed, 18 Jan 2006 15:56:32 +0200 User-Agent: KMail/1.8.1 References: <200601171907.17831.hagemann1@egs.uct.ac.za> <200601181129.38634.hagemann1@egs.uct.ac.za> <20060118123451.GA69630@abbott.allenmyland.com> In-Reply-To: <20060118123451.GA69630@abbott.allenmyland.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200601181556.33030.hagemann1@egs.uct.ac.za> Subject: I have been hacked (WAS: Have I been hacked or is nmap wrong?) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 13:56:29 -0000 On Wednesday 18 January 2006 14:34, Ken Stevenson pondered: > Is there any chance you have a router that's forwarding the ports > in question to another computer? Not that I know of. The setup is quite simple: wireless ethernet(PPPoE) ethernet ISP<------->Modem<------>FreeBSD gateway<------->LAN FreeBSD is my router with ppp -ddial -nat and a custom ipfw script that blocks all incoming connections while allowing legitimate traffic out (with keep-state rules). Check this out: ftp gives 220 Frox transparent ftp proxy. Login with username[@host[:port]] Name (...) I have never even heard of "frox" before, but after some googling it turns out that it's a GPL'ed transparent ftp proxy... Also, I said smtp ports were open on the machines in question, I just verified that I can send emails via BOTH these systems even though no sendmail/exim/whatever was ever installed by me and sendmail_enable="None" on both. My servers have been compromised, fantastic. And that with an initial firewall'ed setup that left NO open ports (I verified that a while ago with nmap). So much for my impression that FreeBSD was secure. How could this have happened? ipfw buffer overflow? Some other unknown vulnerability? I really wanna find out how they got in (syslog offers no clues btw, I've been rootkitted after all :-( Any suggestions other than format/reinstall/tripwire? -- Kilian Hagemann Climate Systems Analysis Group University of Cape Town Republic of South Africa Tel(w): ++27 21 650 2748