Date: Thu, 30 Aug 2001 16:21:09 +0800 From: "Matthew P. Marino" <freebsd@citystamp.com> To: Tim Erlin <tperlin@yahoo.com> Cc: bbayorgeon@new.rr.com, freebsd-questions@FreeBSD.ORG Subject: Re: Ok, I have been hacked, toor exploited apparently Message-ID: <3B8DF774.CF0BDACD@citystamp.com> References: <20010830035959.27838.qmail@web11703.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Not only that, remove every line from inetd.conf and only put things back in when you find you need them. If you can log in to your machine remotely and run a shell, so can someone else. Even the things that seem safe should be treated with respect. Any user accounts that won't ever run a shell should have a bogus shell indicated in the /etc/passwd file. I noticed your on rr.com. It's a bad place. I loaded up a new server. Within 1 hour, I had a warez kiddie dropping garbage in anonymous ftp. I thought I had a little time to button down but I guess theres a constant drone of portscans going on. At least that's what "snort" reports. Tim Erlin wrote: > > Once the box has been compromised, there is no way for > you to be *sure* that it's whole again. Best advice is > to reinstall from scratch. > > Small piece of advice, don't run telnet. Run SSH > instead. There was a telnetd vulnerability in versions > of FreeBSD prior to July...that might be the problem > here. > > --Tim Erlin > > --- Brian <bbayorgeon@new.rr.com> wrote: > > I finally noticed yesterday that something was > > amiss. > > > > As it turns out the entire contents of by etc > > directory was > > deleted. > > Cruising through the log files I found the following > > interesting > > items. (I log the heck out of everything) > > > > > > 7-info.log:Aug 7 08:15:46 ceil telnetd[24924]: > > ttloop: peer > > died: No such file or directory > > daemon.log:Aug 7 08:15:46 ceil telnetd[24924]: > > ttloop: peer > > died: No such file or directory > > 8-debug.log:Aug 7 08:47:55 ceil passwd: user toor > > changed their > > local password > > user.log:Aug 7 08:47:55 ceil passwd: user toor > > changed their > > local password > > console.log:Aug 7 08:44:16 ceil inetd[335]: > > shell/tcp6: unknown > > service > > 4-err.log:Aug 7 08:44:16 ceil inetd[335]: > > shell/tcp6: unknown > > service > > daemon.log:Aug 7 08:44:16 ceil inetd[335]: > > shell/tcp6: unknown > > service > > ipfw.log:Aug 7 08:15:40 ceil /kernel: ipfw: 5500 > > Accept TCP > > 198.143.213.134:1049 xx.xxx.xxx.xxx:23 in via ed1 > > ipfw.log:Aug 7 08:15:46 ceil /kernel: ipfw: 5500 > > Accept TCP > > 198.143.213.134:1050 xx.xxx.xxx.xxx:23 in via ed1 > > ipfw.log:Aug 7 08:40:13 ceil /kernel: ipfw: 5400 > > Accept TCP > > 24.164.145.194:20 xx.xxx.xxx.xxx:49161 in via ed1 > > ipfw.log:Aug 7 08:40:35 ceil /kernel: ipfw: 5400 > > Accept TCP > > 24.164.145.194:20 xx.xxx.xxx.xxx:49162 in via ed1 > > > > > > My box sits on the net via a cable modem 24/7 with a > > relatively > > fixed ip address. I have been seeing all kinds of > > junk filtered > > out with IPFW. I did however leave ftp open and > > telnet on the > > firewall. The following two log items seem to be > > the best clues > > of what happened. > > > > Aug 7 08:44:16 ceil inetd[335]: shell/tcp6: unknown > > service > > Aug 7 08:47:55 ceil passwd: user toor changed their > > local > > password > > > > I guess I am looking for advice to help identify > > what happened so > > I can close the loop holes and keep those pesky > > folks out. Took > > me several hours to recover my etc directory from a > > partial > > backup I did almost a year ago. I still do not know > > if I have it > > all correct, but I am up and running again anyhow. > > > > I have never done anything with the toor passwd. It > > has always > > remained undefined or "*". Was this a huge mistake? > > The other > > thing is what the heck is "inetd[335]: shell/tcp6: > > unknown > > service"? Is this how the hacker got it? It > > happened a few min > > before the passwd for toor was changed. > > > > Thanks for any advice. > > > > Brian > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of > > the message > > __________________________________________________ > Do You Yahoo!? > Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger > http://im.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B8DF774.CF0BDACD>