Date: Wed, 29 Aug 2001 22:48:44 -0500 From: "Brian" <bbayorgeon@new.rr.com> To: <freebsd-questions@FreeBSD.ORG> Subject: Ok, I have been hacked, toor exploited apparently Message-ID: <ILECJPOKCPCCHDEMKLBNMENICEAA.bbayorgeon@new.rr.com>
next in thread | raw e-mail | index | archive | help
I finally noticed yesterday that something was amiss. As it turns out the entire contents of by etc directory was deleted. Cruising through the log files I found the following interesting items. (I log the heck out of everything) 7-info.log:Aug 7 08:15:46 ceil telnetd[24924]: ttloop: peer died: No such file or directory daemon.log:Aug 7 08:15:46 ceil telnetd[24924]: ttloop: peer died: No such file or directory 8-debug.log:Aug 7 08:47:55 ceil passwd: user toor changed their local password user.log:Aug 7 08:47:55 ceil passwd: user toor changed their local password console.log:Aug 7 08:44:16 ceil inetd[335]: shell/tcp6: unknown service 4-err.log:Aug 7 08:44:16 ceil inetd[335]: shell/tcp6: unknown service daemon.log:Aug 7 08:44:16 ceil inetd[335]: shell/tcp6: unknown service ipfw.log:Aug 7 08:15:40 ceil /kernel: ipfw: 5500 Accept TCP 198.143.213.134:1049 xx.xxx.xxx.xxx:23 in via ed1 ipfw.log:Aug 7 08:15:46 ceil /kernel: ipfw: 5500 Accept TCP 198.143.213.134:1050 xx.xxx.xxx.xxx:23 in via ed1 ipfw.log:Aug 7 08:40:13 ceil /kernel: ipfw: 5400 Accept TCP 24.164.145.194:20 xx.xxx.xxx.xxx:49161 in via ed1 ipfw.log:Aug 7 08:40:35 ceil /kernel: ipfw: 5400 Accept TCP 24.164.145.194:20 xx.xxx.xxx.xxx:49162 in via ed1 My box sits on the net via a cable modem 24/7 with a relatively fixed ip address. I have been seeing all kinds of junk filtered out with IPFW. I did however leave ftp open and telnet on the firewall. The following two log items seem to be the best clues of what happened. Aug 7 08:44:16 ceil inetd[335]: shell/tcp6: unknown service Aug 7 08:47:55 ceil passwd: user toor changed their local password I guess I am looking for advice to help identify what happened so I can close the loop holes and keep those pesky folks out. Took me several hours to recover my etc directory from a partial backup I did almost a year ago. I still do not know if I have it all correct, but I am up and running again anyhow. I have never done anything with the toor passwd. It has always remained undefined or "*". Was this a huge mistake? The other thing is what the heck is "inetd[335]: shell/tcp6: unknown service"? Is this how the hacker got it? It happened a few min before the passwd for toor was changed. Thanks for any advice. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ILECJPOKCPCCHDEMKLBNMENICEAA.bbayorgeon>