From owner-freebsd-questions  Wed Apr  4 11:42:21 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from vcnet.com (mail.vcnet.com [209.239.239.15])
	by hub.freebsd.org (Postfix) with SMTP id 49F1A37B72E
	for <freebsd-questions@freebsd.org>; Wed,  4 Apr 2001 11:42:18 -0700 (PDT)
	(envelope-from jpr@vcnet.com)
Received: (qmail 30464 invoked by uid 1001); 4 Apr 2001 18:42:18 -0000
Date: Wed, 4 Apr 2001 11:42:18 -0700
From: Jon Rust <jpr@vcnet.com>
To: Gary Geisbert <ggeisbert@e-centives.com>
Cc: freebsd-questions@freebsd.org
Subject: Re: 4.2S compromised: what now?
Message-ID: <20010404114217.B23357@mail.vcnet.com>
Mail-Followup-To: Gary Geisbert <ggeisbert@e-centives.com>,
	freebsd-questions@freebsd.org
References: <20010404102928.A23357@mail.vcnet.com> <01040409504704.40117@fbsd.bethesda.emaginet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <01040409504704.40117@fbsd.bethesda.emaginet.com>; from ggeisbert@e-centives.com on Wed, Apr 04, 2001 at 09:50:47AM -0400
X-Operating-System: http://www.freebsd.org/
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Apr 04, 2001 at 09:50:47AM -0400, Gary Geisbert wrote:
> On Wednesday 04 April 2001 13:29, Jon Rust wrote:
> >
> > The thing that concerns me is, how did they get into this account?
> 
> I would start looking elsewhere on your network for answers.  Your network is 
> only secure as your weakest link.. :-\  Perhaps the user uses the same 
> password for all accounts, and someone rooted another machine on your 
> network, and setup a sniffer...?

She has no other accounts on the network. The system was apparently
broken into before I was running 4.2-S... probably 4.1.1-S from Oct 19.
Telnet was allowed, but she only accessed it from our LAN. This machine
runs apache, mysqld, ncftpd, ntpd, sshd, telnetd (inetd), and portmap.
Portmap, sshd, and telnet are wrapped, but apparently not wrapped well.
I thought this line

  ALL : PARANOID : RFC931 20 : severity auth.info : \
    twist /bin/echo "See RFC931. Connection attempt logged."

prevented users with no reverse DNS from connecting. Maybe sshd doesn't
recognize this option? (None of the IPs they connected from had reverse
DNS set-up.) Speaking of which, didn't openssh have an exploit a few
months ago? Maybe that was how they got in?

The other systems on the net appear to be fine, and are not open to any
users besides myself from a very short list of IPs.

jon

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message