From owner-freebsd-questions Wed Aug 29 21: 0: 8 2001 Delivered-To: freebsd-questions@freebsd.org Received: from web11703.mail.yahoo.com (web11703.mail.yahoo.com [216.136.172.69]) by hub.freebsd.org (Postfix) with SMTP id 3DEC237B401 for ; Wed, 29 Aug 2001 20:59:59 -0700 (PDT) (envelope-from tperlin@yahoo.com) Message-ID: <20010830035959.27838.qmail@web11703.mail.yahoo.com> Received: from [64.81.48.149] by web11703.mail.yahoo.com via HTTP; Wed, 29 Aug 2001 20:59:59 PDT Date: Wed, 29 Aug 2001 20:59:59 -0700 (PDT) From: Tim Erlin Subject: Re: Ok, I have been hacked, toor exploited apparently To: bbayorgeon@new.rr.com, freebsd-questions@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Once the box has been compromised, there is no way for you to be *sure* that it's whole again. Best advice is to reinstall from scratch. Small piece of advice, don't run telnet. Run SSH instead. There was a telnetd vulnerability in versions of FreeBSD prior to July...that might be the problem here. --Tim Erlin --- Brian wrote: > I finally noticed yesterday that something was > amiss. > > As it turns out the entire contents of by etc > directory was > deleted. > Cruising through the log files I found the following > interesting > items. (I log the heck out of everything) > > > 7-info.log:Aug 7 08:15:46 ceil telnetd[24924]: > ttloop: peer > died: No such file or directory > daemon.log:Aug 7 08:15:46 ceil telnetd[24924]: > ttloop: peer > died: No such file or directory > 8-debug.log:Aug 7 08:47:55 ceil passwd: user toor > changed their > local password > user.log:Aug 7 08:47:55 ceil passwd: user toor > changed their > local password > console.log:Aug 7 08:44:16 ceil inetd[335]: > shell/tcp6: unknown > service > 4-err.log:Aug 7 08:44:16 ceil inetd[335]: > shell/tcp6: unknown > service > daemon.log:Aug 7 08:44:16 ceil inetd[335]: > shell/tcp6: unknown > service > ipfw.log:Aug 7 08:15:40 ceil /kernel: ipfw: 5500 > Accept TCP > 198.143.213.134:1049 xx.xxx.xxx.xxx:23 in via ed1 > ipfw.log:Aug 7 08:15:46 ceil /kernel: ipfw: 5500 > Accept TCP > 198.143.213.134:1050 xx.xxx.xxx.xxx:23 in via ed1 > ipfw.log:Aug 7 08:40:13 ceil /kernel: ipfw: 5400 > Accept TCP > 24.164.145.194:20 xx.xxx.xxx.xxx:49161 in via ed1 > ipfw.log:Aug 7 08:40:35 ceil /kernel: ipfw: 5400 > Accept TCP > 24.164.145.194:20 xx.xxx.xxx.xxx:49162 in via ed1 > > > My box sits on the net via a cable modem 24/7 with a > relatively > fixed ip address. I have been seeing all kinds of > junk filtered > out with IPFW. I did however leave ftp open and > telnet on the > firewall. The following two log items seem to be > the best clues > of what happened. > > Aug 7 08:44:16 ceil inetd[335]: shell/tcp6: unknown > service > Aug 7 08:47:55 ceil passwd: user toor changed their > local > password > > I guess I am looking for advice to help identify > what happened so > I can close the loop holes and keep those pesky > folks out. Took > me several hours to recover my etc directory from a > partial > backup I did almost a year ago. I still do not know > if I have it > all correct, but I am up and running again anyhow. > > I have never done anything with the toor passwd. It > has always > remained undefined or "*". Was this a huge mistake? > The other > thing is what the heck is "inetd[335]: shell/tcp6: > unknown > service"? Is this how the hacker got it? It > happened a few min > before the passwd for toor was changed. > > Thanks for any advice. > > Brian > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of > the message __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message