From owner-freebsd-security Sun Dec 20 10:44:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA08188 for freebsd-security-outgoing; Sun, 20 Dec 1998 10:44:56 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (p54-nas1.wlg.ihug.co.nz [216.100.145.54]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA08173; Sun, 20 Dec 1998 10:44:51 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with ESMTP id HAA09283; Mon, 21 Dec 1998 07:42:55 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Mon, 21 Dec 1998 07:42:55 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Alejandro Galindo Chairez AGALINDO cc: freebsd-security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: udp security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Dec 1998, Alejandro Galindo Chairez AGALINDO wrote: > My name is Alejandro and i have some servers in Mexico with FreeBSD 2.2.5, > 2.2.6 and 2.2.7 releases (from Walnut Creck CDROM) > > One mounth ago my servers was been attacked from some hackers, i was > monitoring their activities and i only know that they are using the user > datagram protocolo, i installed a firewall but this cant stop their > activities, iam worried becouse last week they delete the log files from > /var/log and last day they access one of my server with a username and a > password (they created the username and password, they access the server > for 3 minutes and then they delete the user) IAM WORRIED becouse i dont > know how they did that, the server violated had the 2.2.5 version and i > upgrade it to 2.2.7 release, but this morning the hackers insist in access > my servers. > > i need help, i need to know how to protect my servers, but the most > important in my mind is to know how they are accessing the servers, i > buyed the Firewalls book from Oreally & associates and i was using the > firewall with ipfw, but this dont stop the hackers. > > thanks for your help > > Alejandro Galindo You haven't provided much information that anyone could use to help you pin down the problem. About all that anyone could give you from this is pointers on how you might isolate the problem. So, here's a bundle of the usual bits of advice. Pretty much everyone who's come to the freebsd-security list about getting hacked this year has been hacked through the popper bug. If you're running popper, upgrade to the latest version or to a different pop server. If your hackers have been able to create an account, then they have root priviledges, and have probably installed a backdoor or two. You can not expect to cover every possible vulnerability that may have been introduced. Reinstall from scratch as soon as is practical, and install tripwire while you're at it (before you connect the newly installed OS to the network). You say you think you're being hacked through udp. Why? How have you set up your firewall. What traffic do you expect to see, and what blocks and logging do you have in place for other traffic. Go through all of your network services (netstat -a) and for each open port find out exactly what version of what software you are running. With a list of these in hand, search bugtraq, rootshell, fyodors etc for exploits that affect you. For every service you run as root, look to see if you can run it under a different uid. For each service, identify who you expect to be using it from where. Limit where services can be accessed from accordingly. Use ipfw and/or tcpwrappers. Run a few of the major scanners on yourself. ISS, SATAN, COPS. Set syslog up to pass your logs out to another machine which you trust. ie get your logs out before they get wiped. Back up now if you don't have a back up. Don't trust this backup any more than you must. Change your passwords. Remove shells from every account that doesn't need it. Disable rhosts if you don't need it. Disable suid bits where possible. Consider where sniffers might be on your network and check this out. (You should *NEVER* send root passwords as clear text. Use ssh.) If your security is commercially important and you don't have the skills to deal with your problem, then consider hiring help. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message