Date: Mon, 28 Jul 1997 17:58:05 -0700 (PDT) From: Vincent Poy <vince@mail.MCESTATE.COM> To: Gary Palmer <gpalmer@FreeBSD.ORG> Cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, security@FreeBSD.ORG, "[Mario1-]" <mario1@primenet.com>, JbHunt <johnnyu@accessus.net> Subject: Re: security hole in FreeBSD Message-ID: <Pine.BSF.3.95.970728175055.3844W-100000@mail.MCESTATE.COM> In-Reply-To: <9758.870137085@orion.webspan.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 28 Jul 1997, Gary Palmer wrote: =)Vincent Poy wrote in message ID =)<Pine.BSF.3.95.970728161113.3844t-100000@mail.MCESTATE.COM>: =)> On Mon, 28 Jul 1997, Jordan K. Hubbard wrote: =)> =)> =)I think you are describing the symptom, not the problem. =)> =) =)> =)This looks very much like a system which was broken into and then =)> =)trojan'd to allow easier, more invisible access. How do you know, =)> =)for example, that your telnetd is really telnetd? Did you verify that? ;) =)> =)> Well, because I connect to the system using telnet ;) Also, this =)> guy has been known to break in to machines =)> (theca@wil-de7-10.ix.netcom.com). This is the person who also hacked =)> irc.hardlink.com. I think this person goes around hacking machine after =)> machine, and nobody does anything about it. =) =)If this hack caused loss of service, notify your local (or state) =)police. They'll do something. It's out of state and notifying the FBI would take some time and they would do more damage to the system. =)> =)Also, I'd check that inetd.conf file again and make _really sure_ you =)> =)haven't left remote shell access enabled - a lot of people miss that =)> =)because it's not explicitly labelled "rlogin" like they might expect. =) =)> I checked and disabled everything except telnetd in =)> /etc/inetd.conf and rebooted the machine and then he kicked all of us who =)> are admins out and shutdown the system. =) =)Vince, I hate to say this, but you really need to learn more about =)administring a system. Do you use SSH for secure access for people who =)have root access? If not, you are *ASKING* to be hacked every day of =)the week. If you don't use SSH, do you use one-time passwords =)(e.g. skey?) How do you know your telnetd binary is what it claims to =)be? Your machine has been compromised to the *ROOT* level. *EVERY* =)single binary and file on that machine *COULD HAVE BEEN REPLACED*. We're not using ssh but was planing to do so until this happened. I telneted in to make sure that it was really telnet and checked the file size/dates and other info with another machine to verify it. We're not using one time passwords either. The break in according to the hacker was done because of a security hole in perl5.00401 and the default .rhosts file that came with the root account so they were able to login to the other machine to do damage. The hacker was not interested in mercury.GAIANET.NET even though that was where he did the hack from using perl. After the hack was done, he just rlogin to earth which is where he had no shell access before. =)Take that machine off the net *NOW* and work on it from console. If =)that is not an option, then you really need to start learning (fast) =)about just what a hacker can do to your system. If he really has that =)level of access, you are *SCREWED* right now without console =)access. Even if you put sshd on there now, he could have it replaced =)with his own version before you could make use of it and kick him off. All the machines are already unreacheable and off the net. All of the admins including me run the machine remotely since the owners are the only ones who are local and they are out of the country for the next 4 months so there isn't any way to do it on the console. =)And I must say, if you haven't taken reasonable steps to secure your =)admin sessions, and following the security and cvs mailing lists for =)bugs, then you really have been asking for this. I know (from =)experience) just what it takes to run a shell server, and just what =)hackers these days can do with 5 minutes of their spare time. I did follow the security and cvs mailing list for bugs, that's why I make the necessary changes to the systems every time a new security exploit is reported just to be on the safe side. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970728175055.3844W-100000>