From owner-freebsd-stable Thu Jul 30 12:23:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA01337 for freebsd-stable-outgoing; Thu, 30 Jul 1998 12:23:46 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from helios.whro.org (helios.whro.org [198.78.178.25]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA01291 for ; Thu, 30 Jul 1998 12:23:32 -0700 (PDT) (envelope-from bboone@whro.org) Received: from wizard.whro.org (stargate.whro.net [198.78.178.11]) by helios.whro.org (8.8.5/8.8.5) with SMTP id PAA01177 for ; Thu, 30 Jul 1998 15:16:30 -0400 (EDT) Message-ID: <002e01bdbbf0$8e63eb20$ef63a8c0@wizard.whro.org> From: "Bob Boone" To: Subject: Security Issue -- Date: Thu, 30 Jul 1998 15:30:42 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Not sure if this is the "right" place for this, but this is the list I'm on. . . . I'm a marginal Unix-person, who used FreeBSD because Apache ran on it, and it has been dependable for nearly 2-years. . . So dependable that I have not had to get deep into Unix to keep it crusin' . . . . . now I've got trouble. . . . . Running a webserver on 2.2.5 / Apache, loaded update 10/21/97, running continuously since that date. Security file this morning noted: checking setuid files and devices: www setuid diffs: 2d1 < -r-xr-sr-x 1 bin kmem 167936 Oct 21 10:15:06 1997 /bin/ps 48d46 < -r-xr-sr-x 2 bin kmem 16384 Oct 21 10:19:37 1997 /usr/bin/uptime 54d51 < -r-xr-sr-x 2 bin kmem 16384 Oct 21 10:19:37 1997 /usr/bin/w checking for uids of 0: root 0 toor 0 The "uids" have never been anything but "0" . . . . but the other lines seemed to indicate a HACK. A quick directory check showed a number of files changed between 3-6 am, some with "kmem" some with other owners. and a specific file in /bin: "libtcl76.a" -r-xr-xr-x 1 bin bin 40960 Oct 21 1997 hostname -r-xr-xr-x 1 bin bin 40960 Oct 21 1997 kill -rw-r--r-- 1 root bin 308582 Jul 30 05:41 libtcl76.a -r-xr-xr-x 1 bin bin 40960 Oct 21 1997 ln -r-xr-xr-x 1 bin bin 155648 Oct 21 1997 ls -r-xr-xr-x 1 bin bin 40960 Oct 21 1997 mkdir All password files had been updated during this time, and a user account was changed. Before I could get downstairs to the server, the "libtcl76.a" file dissappeared. My "messages" log was deleted, and there were no httpd-access or -error entries for that period of time . . . Like an "alien" abduction, all overt evidence was erased, but I expect this is a more common "earthly" problem than that. . . . There was one last entry on the terminal screen, that a mail error had occurred from "noc.ipspeed.net" -- they show up in internic as a new ISP in california (I'm on the east coast), so they should not have been the last bounce for mail to me, and I'm not sure what connection, if any, they are to my other problem . . . QUESTIONS: (1) Is this a known hack ??? (2) What else should I assume is corrupt, beyond password and user files. And how do I "delete" a user . . . sysinstall lets me ADD, but not DELETE, and when it adds it puts stuff in several different files, so I assume I'll need to go to each of these areas to delete the specific user-info . . . . ?? (3) What do I do to keep it from happening again ??? ============================================================ Bob Boone Chief Engineer,TV & Radio (Studios) WHRO-TV/FM Norfolk, Va. bboone@whro.org PH: 757.889.9466 FX: 757.489.4444 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message