Date: Fri, 19 Oct 2001 17:18:39 +0200 From: Alson van der Meulen <alm@flutnet.org> To: freebsd-security@FreeBSD.ORG Subject: Re: I got hacked, not login wise, software wise Message-ID: <20011019171839.I7347@md2.mediadesign.nl> In-Reply-To: <06cf01c1582d$ff363600$f6f073d1@mpionline.com> References: <20011018131823.Y621-100000@jodie.ncptiddische.net> <011e01c157cf$9b401700$f6f073d1@mpionline.com> <20011018165057.V3734@ns2.wananchi.com> <01e701c157e4$f012abc0$f6f073d1@mpionline.com> <20011018180513.C3734@ns2.wananchi.com> <20011018114805.E70327@acadia.ne.mediaone.net> <018801c157ef$37ec0720$f6f073d1@mpionline.com> <03db01c15812$c4575d40$f6f073d1@mpionline.com> <06cf01c1582d$ff363600$f6f073d1@mpionline.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 18, 2001 at 05:38:31PM -0600, Tomek wrote: > Hello there, > > ==QUICK SUMMARY TO NOT WASTE YOUR TIME=== > =Without a doubt I have been hacked > =Noone should have any accounts or access except me > =They managed to create some files in / to unzip and install sudo > =They seemed to be running under "Broot" > =They tried to make user "l-x" as wheel but failed to login > =They repeatedly have tried anonymous ftp and failed > > Why I think it is NOT a login hack but some kind of buffer or software > hack > =log files show nothing about logins > =doubtful they just covered their tracks because they left files sitting > in / as well as left the user "l-x" > > ===MY SUMMARY=== > I think they found a way to get some program (I use a limited and > careful selection of them) to create the files as "Broot" and they tried > to find a way to login but failed. I am NOT sure about this, maybe they > did cover their tracks but were sloppy and left more obvious hints. > > ===MY QUESTIONS=== > =1= I have a user "Broot", I noticed it only a few days after installing > FreeBSD 4.3-RELEASE (GENERIC) #0. Is it normal? Many say they do not > have it, but on google a search shows many do. > > =2= Is there ANY way of determining WHICH program/process has allowed > commands to be run to create/install "sudo" (which is what the hacker > has installed). It is NOT a logged in user that installed it. Maybe > there are some logs for what processes were running at the time, what > process made a file, or whatever. If you enabled accounting before the hack, you could use sa/lastcomm/friends to determine what was run. If they used bash as shell, there might been some .bash_history left. > > =3= Any other advice? > > NOTE: I have not yet notified the hacker I am on to them, I am hoping to > catch them doing something so I know what they are after. But they may > realize I am on to them by now. Enable accounting in rc.conf, and reboot (or look in /etc/rc and execute the commands manually). Beware that if they're smart, they can disable all kind of security measures if they've root access (f.e. turn accounting off). Check how they came in (guess it's indeed telnetd), patch it or disable telnetd, and find out if they've left any backdoors (if the box is only a few days old, a reinstall might be the easiest solution to be sure, you should wipe and reinstall after a succesful breakin anyway). -- ,-------------------------------------------. > Name: Alson van der Meulen < > Personal: alson@flutnet.org < > School: alson@gymnasiumleiden.nl < `-------------------------------------------' Terminated??! --------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011019171839.I7347>