From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 02:06:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A3BE16A41F for ; Thu, 17 Nov 2005 02:06:22 +0000 (GMT) (envelope-from willmaier@ml1.net) Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A34843D53 for ; Thu, 17 Nov 2005 02:06:21 +0000 (GMT) (envelope-from willmaier@ml1.net) Received: from frontend1.internal (mysql-sessions.internal [10.202.2.149]) by frontend1.messagingengine.com (Postfix) with ESMTP id 14875D0A17B for ; Wed, 16 Nov 2005 21:06:20 -0500 (EST) Received: from frontend2.messagingengine.com ([10.202.2.151]) by frontend1.internal (MEProxy); Wed, 16 Nov 2005 21:06:20 -0500 X-Sasl-enc: AQTjwc4UYrjhIGTGe0QJZJBXuQho3tRFYZqObZoPkkr7 1132193178 Received: from merkur (host-66-202-74-42.choiceone.net [66.202.74.42]) by frontend2.messagingengine.com (Postfix) with ESMTP id 8353D5713F6 for ; Wed, 16 Nov 2005 21:06:18 -0500 (EST) Received: by merkur (nbSMTP-1.00) for uid 1000 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) willmaier@ml1.net; Wed, 16 Nov 2005 20:06:24 -0600 (CST) Date: Wed, 16 Nov 2005 20:06:22 -0600 From: Will Maier To: freebsd-security@freebsd.org Message-ID: <20051117020622.GE26954@localdomain> Mail-Followup-To: freebsd-security@freebsd.org References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051117012552.46503.qmail@web51607.mail.yahoo.com> User-Agent: Mutt/1.5.6+20040907i Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 02:06:22 -0000 On Wed, Nov 16, 2005 at 05:25:52PM -0800, Mark Jayson Alvarez wrote: > However, we still haven't brought the server down in an attempt to > track the intruder down. Right now we are clueless as to what we > need to do.. Most of our servers are running legacy operating > systems(old versions mostly freebsd) Also, that particular server > is running - ProFTPD Version 1.2.4 which someone have suggested to > have a known vulnerability.. You should take the box off the network immediately. Before doing so, get a dump of all open files using lsof(8), especially open network sockets. The following is a start: $ lsof -Pni > /root/openfiles.txt Do not use shutdown(8) or reboot(8) to shut the machine down, as these may trigger scripts that could remove or obfuscate evidence of the breakin. Simply powering the machine off will leave it in a relatively pristine state. The machine will need to be rebuilt, and all passwords on it retired. Consider whether the attacker could have compromised other systems on your network via this machine; if so, change relevant passwords and investigate further. Do not boot from the compromised hard disk again; instead, mount it on a safe machine and take a disk image. Do not alter the disk itself -- all investigation should occur using copies of the image. If the other machines are in a state similar to the compromised machine (in terms of OS upgrades, software upgrades, exposure), develop a plan to bring them to a known safe/protected level. At a minimum, unnecessary services should be turned off, strict password requirements should be set, and all software (OS and third party) should be updated. For extra credit: Using the image and the dump of open files, try to determine the vector used to launch the attack. Understanding how they got in might help you as you move to secure your other machines. You're going to have rather a lot of work to do, unfortunately, which is a rough way to start at your new job. If the previous admin had kept the machines up to date, the likelihood that you'd have to respond to a security incident on unfamiliar systems would be dramatically lessened. Do the next admin a favor: keep these machines secure after you rebuild them. -- o--------------------------{ Will Maier }--------------------------o | jabber:..wcmaier@jabber.ccc.de | email:..........wcmaier@ml1.net | | \.........wcmaier@cae.wisc.edu | \..........wcmaier@cae.wisc.edu | *------------------[ BSD Unix: Live Free or Die ]------------------*