Date: Thu, 30 Jul 1998 12:42:42 -0700 From: Mike Smith <mike@smith.net.au> To: "Bob Boone" <bboone@whro.org> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: Security Issue -- Message-ID: <199807301942.MAA00458@dingo.cdrom.com> In-Reply-To: Your message of "Thu, 30 Jul 1998 15:30:42 EDT." <002e01bdbbf0$8e63eb20$ef63a8c0@wizard.whro.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Not sure if this is the "right" place for this, but this is the list I'm on. > .. . . I'm a marginal Unix-person, who used FreeBSD because Apache ran on > it, and it has been dependable for nearly 2-years. . . So dependable that I > have not had to get deep into Unix to keep it crusin' . . . . . now I've got > trouble. . . . . > > Running a webserver on 2.2.5 / Apache, loaded update 10/21/97, running > continuously since that date. > > Security file this morning noted: > > checking setuid files and devices: > www setuid diffs: > 2d1 > < -r-xr-sr-x 1 bin kmem 167936 Oct 21 10:15:06 1997 /bin/ps > 48d46 > < -r-xr-sr-x 2 bin kmem 16384 Oct 21 10:19:37 1997 /usr/bin/uptime > 54d51 > < -r-xr-sr-x 2 bin kmem 16384 Oct 21 10:19:37 1997 /usr/bin/w > checking for uids of 0: > root 0 > toor 0 > > The "uids" have never been anything but "0" . . . . but the other lines > seemed to indicate a HACK. A quick directory check showed a number of files > changed between 3-6 am, some with "kmem" some with other owners. and a > specific file in /bin: "libtcl76.a" > > -r-xr-xr-x 1 bin bin 40960 Oct 21 1997 hostname > -r-xr-xr-x 1 bin bin 40960 Oct 21 1997 kill > -rw-r--r-- 1 root bin 308582 Jul 30 05:41 libtcl76.a > -r-xr-xr-x 1 bin bin 40960 Oct 21 1997 ln > -r-xr-xr-x 1 bin bin 155648 Oct 21 1997 ls > -r-xr-xr-x 1 bin bin 40960 Oct 21 1997 mkdir > > All password files had been updated during this time, and a user account was > changed. > > Before I could get downstairs to the server, the "libtcl76.a" file > dissappeared. My "messages" log was deleted, and there were no httpd-access > or -error entries for that period of time . . . Like an "alien" abduction, > all overt evidence was erased, but I expect this is a more common "earthly" > problem than that. . . . There was one last entry on the terminal screen, > that a mail error had occurred from "noc.ipspeed.net" -- they show up in > internic as a new ISP in california (I'm on the east coast), so they should > not have been the last bounce for mail to me, and I'm not sure what > connection, if any, they are to my other problem . . . > > QUESTIONS: (1) Is this a known hack ??? It's not a "known hack", but you certainly had intruder activity. > (2) What else should I assume is corrupt, beyond > password and user files. Everything. Extract your *data* only to a backup device, reinstall and reconfigure from scratch. You should be performing regular data backups, so this should be pretty straightforward. > And how do I "delete" a user . . . sysinstall > lets me ADD, but not DELETE, and when it adds it puts stuff in several > different files, so I assume I'll need to go to each of these areas to > delete the specific user-info . . . . ?? 'pw userdel <username> -r' is pretty effective. > (3) What do I do to keep it from happening again ??? If you're running the Qualcomm pop server 'popper' you should upgrade it as there are known exploits. In general, you should ensure that you subscribe to the freebsd-security list, and check out the security advisories on a regular basis. When you reinstall, I would suggest moving to 2.2.7 and correspondingly upgrading apache and any CGI utilities that you're using. Be aware that while your system is in its compromised state (ie. now) it is quite likely being used to attack other systems. -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807301942.MAA00458>