From owner-freebsd-security Tue Jul 28 15:07:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA28665 for freebsd-security-outgoing; Tue, 28 Jul 1998 15:07:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA28528 for ; Tue, 28 Jul 1998 15:06:29 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id PAA29482; Tue, 28 Jul 1998 15:05:45 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Tue, 28 Jul 1998 15:05:45 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Show Boat cc: security@FreeBSD.ORG Subject: Re: Post qpopper trauma In-Reply-To: <19980728211125.14099.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Jul 1998, Show Boat wrote: >I've just joined the security mailling list. I've read the charters, >and I think I'm in line here. If I offend, please be gentle in your >flaming. Not at all. Actually, you should have joined this list right when you installed FreeBSD for the very first time. :) > >On Just 17th my 2.2.5 system was violated via the qpopper hack. >Fortunately I came online during the hack, and was able to salvage the >situation somewhat. I found the info on the qpopper exploit, and >corrected my version. > >The intruders were busy when they were on (with root access.) They were >attempting to recompile telnetd with their own little backdoor in it. I >replaced all my telnetd stuff from a recent system backup. (I ran diff >on the sources and was able to tell the code they added.) I recompiled >the original, and thought all was well. I believed I had eliminated all >trace of the intrusion, and eliminated any way they might have back in. > >However, it seems as though I was wrong. > >Last Friday, someone gained access to our system, and installed an >eggdrop bot in our system. (hidden as well as could be.) This didn't >come to my attention until this morning. The PID doesn't show up under >'ps aux'. If you grep specifically for that PID, it shows up as >telnetd. They have a file called faqproxy, and a link telnetd@ -> >faqproxy. The eggdrop does show under top though. same PID as that >telnetd. > >I can't figure out how they gained access to the system this time. I am >losing hair rapidly over this. They still have a some kind of shunt >that gives them root access. (or so it seems.) Uhm.. when someone gets root on your system, there are 99999 ways to backdoor the system. Did you check all the crontabs? What about at jobs? What about all .rhosts? Or all .forward? This list can go on forever. The one thing you should do at this point is backup all your user data (you do that anyway, right?) and reinstall from scratch. If you don't want to do that, you can try to CVSup latest sources and rebuild all of your binaries > >I've scoured my messages. They ONLY thing I cannot account for is this: > >Jul 24 19:05:38 nefertiti popper[28212]: Client at "207.155.142.251" >resolves to an unknown host name "ts010d47.pri-nj.concentric.net" When someone gets root they will MOST LIKELY (unless it is a stupid script kiddie) clean up their logs: messages, lastlog, wtmp. They wont' show up in last and they won't show up in w(1). > >That it is popper scares me. The time frame is appropriate, as the >eggdrop was launched in the 7pm hour of Jul 24. As jkh said at one point: it is qpopper source which should scare you. :) > >I've looked through the 'last' log extensively. Again, nothing I cannot >account for. Anyone with potential root access (sudo) logged from an IP >I can account for. Unless you have a syslog daemon log to another SECURE host, you have no idea if your logs have been modified by an attackers. > >So I am against a wall. I cannot tell how access was gained, and I >cannot guarantee that there aren't other nasties going on on the system. Either of two things: clean reinstall or CVSup (I'd prefer the first one - the later one just saves time, but MIGHT not help you if there are backdoors in places other then system binaries: /etc/alias, /etc/hosts.equiv, /root/.rhosts, etc). If you do clean reinstall, look at the system critical files which you move over (such as master.passwd, /etc/crontab, etc). > >Thus, I am looking for some useful advice, or perhaps a security >consult. If this is inappropriate for this list I apologize. I would >be happy to continue this discussion through private e-mail. > www.best.com/~jkb/howto.txt ... don't you wish I had written it a month ago? :) -- Yan >Thanks, >Jeremy > >showboat@hotmail.com > >______________________________________________________ >Get Your Private, Free Email at http://www.hotmail.com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message