From owner-freebsd-questions Sun Sep 30 15:43:39 2001 Delivered-To: freebsd-questions@freebsd.org Received: from jason-n3xt.org (42.mujb.dlls.dllstxbk.dsl.att.net [12.98.249.42]) by hub.freebsd.org (Postfix) with ESMTP id 3C9BB37B40D; Sun, 30 Sep 2001 15:43:23 -0700 (PDT) Received: from localhost (jason@localhost) by jason-n3xt.org (8.11.6/8.11.5) with ESMTP id f8UMhPA10407; Sun, 30 Sep 2001 22:43:25 GMT (envelope-from jason@jason-n3xt.org) Date: Sun, 30 Sep 2001 22:43:24 +0000 (GMT) From: Jason To: freebsd-questions@FreeBSD.ORG Cc: "questions@freebsd.org" Subject: Re: I was rooted using telnet In-Reply-To: <20010930101201.C98775@acadia.ne.mediaone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Yes I did see it on my daily reports AFTER it happened. They only had approx 4-5 hours on my box. Between the time I went to bed and woke up. When I get up and get to my box the frist thing I do is check to see who is on. I saw to unauthoried users (1 and 11). One of them was running a BNC for irc and the other was just idle. There were 2 other users created as well (tmp and asaf). I immediatly killall'ed them, turned off telnet in inetd.conf and added the telnet port to my firewall. I have since examined the contents of their home dirs they created. The did in fact use a buffer overflow exploit. A couple of people have requested it.. once I have time (I have a lot going on at work) I'll send the code and compiled script to the reputable requesters. ---- Jason jason@jason-n3xt.org On Sun, 30 Sep 2001, Louis LeBlanc wrote: > On 09/30/01 01:35 PM, Jason sat at the `puter and typed: > > I personally only use ssh when I am remote. I don't think that is the > > problem. No one else has privileges on my box and I don't su remotely > > unless it's something that can't possibly wait until I get home. >=20 > How about the password? Is it a 'strong' one? How easy would it have > been to find thru brute force? >=20 > I imagine you haven't seen anything on your daily security output, or > you would have mentioned that. >=20 > Lou > > --- > > Jason > > jason@jason-n3xt.org > >=20 > > On Sun, 30 Sep 2001, Doug Reynolds wrote: > >=20 > > > On Sun, 30 Sep 2001 00:38:38 +0000 (GMT), Jason wrote: > > >=20 > > > >I do recall the security notice. I read it on the website and from = the > > > >security list. I was already planning a cvsup at the time and I ask= ed a > > > >couple of BSD gurus I know if that when I update my sources by cvsup= , > > > >would that take care of the problem. They told me it would. So a c= ouple > > > >of days after I saw the security advisory I cvsuped from > > > >cvsup2.FreeBSD.org (i usually only use 2 or 3) and thought the probl= em was > > > >taken care of. I don't recall seeing any other advisories. > > >=20 > > > the only thing i can think of is if they hacked u, they probably > > > grabbed your root password and logged on with it. _always_ ssh when > > > you su > > >=20 > > >=20 > > >=20 > > >=20 > > > >> Were you running a ver of FreeBSD prior to July 23, 2001? Versions= prior > > > >> to July 23 had a remotely rootable telnetd as per > > > >> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49= =2Etelnetd.v1.1.asc > > > >>=20 > > > >> On Sat, 29 Sep 2001, Jason wrote: > > > >>=20 > > > >> > Hello: > > > >> > > > > >> > A couple of days ago I was rooted by someone using a telnet expl= oit. I > > > >> > have been cvsup'ing my sources regularly and was using 4.4-RC at= the > > > >> > time. I've since moved to 4.4-STABLE. It looks like they used = some kind > > > >> > of script. I still have it if anyone wants it. Since then I ha= ve turned > > > >> > off telnet in inetd and blocked the port with a firewall. > > > >> > > > > >> > Anyone have any ideas on how a person could do this? I looks li= ke this > > > >> > script just tries to move a lot of data for a long period of tim= e. > > > >> > > > > >> > --- > > > >> > Jason > > > >> > jason@jason-n3xt.org > > > >> > > > > >> > > > > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > >> > with "unsubscribe freebsd-questions" in the body of the message > > > >> > > > > >> > > > > >> > > > > >>=20 > > > >>=20 > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > > >with "unsubscribe freebsd-questions" in the body of the message > > > > > > >=20 > > > --- > > > doug reynolds | the maverick | mav@wastegate.net > > >=20 > > >=20 > > >=20 > >=20 > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > >=20 >=20 > --=20 > Louis LeBlanc leblanc@acadia.ne.mediaone.net > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://acadia.ne.mediaone.net =D4=BF=D4=AC >=20 > Computer, n.: > An electronic entity which performs sequences of useful steps in a > totally understandable, rigorously logical manner. If you believe > this, see me about a bridge I have for sale in Manhattan. >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message