From owner-freebsd-questions@FreeBSD.ORG  Thu Nov 17 04:38:58 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CD39816A41F
	for <freebsd-questions@freebsd.org>;
	Thu, 17 Nov 2005 04:38:58 +0000 (GMT)
	(envelope-from willmaier@ml1.net)
Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com
	[66.111.4.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1662843D46
	for <freebsd-questions@freebsd.org>;
	Thu, 17 Nov 2005 04:38:57 +0000 (GMT)
	(envelope-from willmaier@ml1.net)
Received: from frontend1.internal (mysql-sessions.internal [10.202.2.149])
	by frontend1.messagingengine.com (Postfix) with ESMTP id D72E0CE75D5
	for <freebsd-questions@freebsd.org>;
	Wed, 16 Nov 2005 23:38:55 -0500 (EST)
Received: from frontend2.messagingengine.com ([10.202.2.151])
	by frontend1.internal (MEProxy); Wed, 16 Nov 2005 23:38:55 -0500
X-Sasl-enc: k5+er7xqwBkIz9cMIk9aT5tvvUbGjJNgyI1daKI4alYJ 1132202334
Received: from merkur (host-66-202-74-42.choiceone.net [66.202.74.42])
	by frontend2.messagingengine.com (Postfix) with ESMTP id E8272571CF8
	for <freebsd-questions@freebsd.org>;
	Wed, 16 Nov 2005 23:38:53 -0500 (EST)
Received: by merkur (nbSMTP-1.00) for uid 1000
	(using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	willmaier@ml1.net; Wed, 16 Nov 2005 22:39:00 -0600 (CST)
Date: Wed, 16 Nov 2005 22:38:59 -0600
From: Will Maier <willmaier@ml1.net>
To: freebsd-questions@freebsd.org
Message-ID: <20051117043859.GF26954@localdomain>
Mail-Followup-To: freebsd-questions@freebsd.org
References: <51190.68.165.89.71.1132194943.squirrel@mail.el.net>
	<20051117025112.3707143D45@mx1.FreeBSD.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20051117025112.3707143D45@mx1.FreeBSD.org>
User-Agent: Mutt/1.5.6+20040907i
Subject: Re: Need urgent help regarding security
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2005 04:38:59 -0000

On Wed, Nov 16, 2005 at 09:51:08PM -0500, Steve Bertrand wrote:
> Most *((cr/h)ackers* (and I use that term VERY loosely (aka:
> script kiddies)) are interested in rooting a box, and setting up a
> storage/sharing area that is free to them. This may not be the
> case, but it's better to 'observe' your foreign presence first.

I understand the rationale behind this advice, but I disagree. I
made my suggestion plain in another part of this thread, but (in
general) the first priority should be to disrupt the attack. For
some organizations (universities, especially), computing resources
are our number one asset. We have oodles of cycles and network
bandwidth -- a rooted box directly targets our valuables, even if
it's "only doing IRC or warez".

Moreover, the longer the hole remains open, the greater the chance
that the attacker will extend the breach. In most every scenario I
can imagine, this is unacceptable. Real forensic investigation can't
really even be performed until the box is offline; looking at /tmp
and other likely trouble spots is excellent advice, but should come
later in the process.

For now, take a snapshot of the network activity (using lsof, ngrep,
tcpdump, etc); I recommended lsof because it will reveal all open
files and network sockets very quickly. Dump the output to a file
and unplug the machine. tcpdump and friends will work well, too, and
give you a more indepth look at the network activity, but will also
require you to keep the box up for longer than I'd be comfortable.

OP has some asset that is being threatened or diminished by this
attack, be it his bandwith, CPU cycles, host/network integrity or
self confidence. He needs to identify that asset and work quickly to
protect it. In most cases, this will mean immediately removing the
box and preparing to rebuild the machine; if he's interested in
investigating, he can do that on an image of the disk (since
investigations are of little use if they ruin the evidence). 

Allowing the attack to proceed may be moderately enlightening, but
(from the OP's message) it seems like the basic problem is known.
Crufty machines attract attacks.

-- 

o--------------------------{ Will Maier }--------------------------o
| jabber:..wcmaier@jabber.ccc.de | email:..........wcmaier@ml1.net |
| \.........wcmaier@cae.wisc.edu | \..........wcmaier@cae.wisc.edu |
*------------------[ BSD Unix: Live Free or Die ]------------------*