From owner-freebsd-questions Wed Aug 29 20:54:24 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail3.new.rr.com (fe3.rdc-kc.rr.com [24.94.163.50]) by hub.freebsd.org (Postfix) with ESMTP id 6D33237B401 for ; Wed, 29 Aug 2001 20:54:20 -0700 (PDT) (envelope-from bbayorgeon@new.rr.com) Received: from rakort ([24.164.235.228]) by mail3.new.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Wed, 29 Aug 2001 22:54:19 -0500 Reply-To: From: "Brian" To: Subject: Ok, I have been hacked, toor exploited apparently Date: Wed, 29 Aug 2001 22:48:44 -0500 Message-ID: X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I finally noticed yesterday that something was amiss. As it turns out the entire contents of by etc directory was deleted. Cruising through the log files I found the following interesting items. (I log the heck out of everything) 7-info.log:Aug 7 08:15:46 ceil telnetd[24924]: ttloop: peer died: No such file or directory daemon.log:Aug 7 08:15:46 ceil telnetd[24924]: ttloop: peer died: No such file or directory 8-debug.log:Aug 7 08:47:55 ceil passwd: user toor changed their local password user.log:Aug 7 08:47:55 ceil passwd: user toor changed their local password console.log:Aug 7 08:44:16 ceil inetd[335]: shell/tcp6: unknown service 4-err.log:Aug 7 08:44:16 ceil inetd[335]: shell/tcp6: unknown service daemon.log:Aug 7 08:44:16 ceil inetd[335]: shell/tcp6: unknown service ipfw.log:Aug 7 08:15:40 ceil /kernel: ipfw: 5500 Accept TCP 198.143.213.134:1049 xx.xxx.xxx.xxx:23 in via ed1 ipfw.log:Aug 7 08:15:46 ceil /kernel: ipfw: 5500 Accept TCP 198.143.213.134:1050 xx.xxx.xxx.xxx:23 in via ed1 ipfw.log:Aug 7 08:40:13 ceil /kernel: ipfw: 5400 Accept TCP 24.164.145.194:20 xx.xxx.xxx.xxx:49161 in via ed1 ipfw.log:Aug 7 08:40:35 ceil /kernel: ipfw: 5400 Accept TCP 24.164.145.194:20 xx.xxx.xxx.xxx:49162 in via ed1 My box sits on the net via a cable modem 24/7 with a relatively fixed ip address. I have been seeing all kinds of junk filtered out with IPFW. I did however leave ftp open and telnet on the firewall. The following two log items seem to be the best clues of what happened. Aug 7 08:44:16 ceil inetd[335]: shell/tcp6: unknown service Aug 7 08:47:55 ceil passwd: user toor changed their local password I guess I am looking for advice to help identify what happened so I can close the loop holes and keep those pesky folks out. Took me several hours to recover my etc directory from a partial backup I did almost a year ago. I still do not know if I have it all correct, but I am up and running again anyhow. I have never done anything with the toor passwd. It has always remained undefined or "*". Was this a huge mistake? The other thing is what the heck is "inetd[335]: shell/tcp6: unknown service"? Is this how the hacker got it? It happened a few min before the passwd for toor was changed. Thanks for any advice. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message