From owner-freebsd-questions Thu Oct 18 8:12:11 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ns2.wananchi.com (mail.wananchi.com [62.8.64.4]) by hub.freebsd.org (Postfix) with ESMTP id 20B6737B409 for ; Thu, 18 Oct 2001 08:11:47 -0700 (PDT) Received: from wash by ns2.wananchi.com with local (Exim 3.33 #1) id 15uEjR-0001Vw-00; Thu, 18 Oct 2001 18:05:13 +0300 Date: Thu, 18 Oct 2001 18:05:13 +0300 From: Odhiambo Washington To: Tomek Cc: FBSD-Q Subject: Re: I got hacked, I think Message-ID: <20011018180513.C3734@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , Tomek , FBSD-Q References: <20011018131823.Y621-100000@jodie.ncptiddische.net> <011e01c157cf$9b401700$f6f073d1@mpionline.com> <20011018165057.V3734@ns2.wananchi.com> <01e701c157e4$f012abc0$f6f073d1@mpionline.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Zs/RYxT/hKAHzkfQ" Content-Disposition: inline In-Reply-To: <01e701c157e4$f012abc0$f6f073d1@mpionline.com> User-Agent: Mutt/1.3.23i X-Disclaimer: Any views expressed in this message,where not explicitly attributed otherwise, are mine alone!. X-Fortune: All of the true things I am about to tell you are shameless lies. -- The Book of Bokonon / Kurt Vonnegut Jr. X-Operating-System: FreeBSD 4.4-STABLE i386 X-Best-Window-Manager: XFCE X-Mailer: Mutt http://www.mutt.org/ X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. X-Uptime: 5:58PM up 3 days, 8:12, 2 users, load averages: 0.01, 0.19, 0.27 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Zs/RYxT/hKAHzkfQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Tomek [20011018 17:54]: writing on the subject 'Re:= I got hacked, I think' | > Hmm, are you saying you know absolutely NOTHING about user l-x ??? | Correct, I do not give ANYONE access at ANY level to our system. I am | the only user and I only allow telnet access from localhost and a few | other in-house computers. No one except myself is allowed near the | servers. Hmm. | > Aha, you've _never_ even tried useradd??? useradd is not a FreeBSD | command but | Useradd isn't the comment, its just the description written to logs. I | am not a Linux user, I am only a FreeBSD (and Windows unfortunately) | user, nothing else for me. So you were hacked still, if you didn't try that. | > Again, sudo is not installed in FreeBSD by default. Did you install it | No I never install useless programs that I dont know about. As I | mentioned, I wasn't even using the server on the days they were | installed (I keep extensive logs of what I personally do each day). So | clearly someone found a way to install "sudo". Yes. | > In my case, I use sudo daily but whatever i do I always see in | /var/log/messages. | What would "sudo" logs contain? grep shows nothing under "sudo". Like these: Oct 17 17:00:51 ns2 sudo: wash : TTY=3Dttyp0 ; PWD=3D/home/wash ; USER= =3Droot ; COMMAND=3D/usr/bin/ee /etc/namedb/flexopac.com Oct 17 17:01:01 ns2 sudo: wash : TTY=3Dttyp0 ; PWD=3D/home/wash ; USER= =3Droot ; COMMAND=3D/usr/bin/ee /etc/namedb/flexopak.com Oct 17 17:01:31 ns2 sudo: wash : TTY=3Dttyp0 ; PWD=3D/home/wash ; USER= =3Droot ; COMMAND=3D/usr/sbin/ndc reload | > That is now it. The hacker logged in, created user l-x, erased his trac= ks | > from adduser.log and now is attempting login from 212.199.120.9 - you s= ee? | Here is where my questions come to play. I see generally what is | happening, I also see l-x failed to login, and I also see that this | hacker is STILL (even 1 hour ago) trying to anonymous login but gets | refused. If he has access, then why is he still trying to anonymous | login? (unless its a different hacker/robot that is getting no where). Maybe someone walked onto your machine, rebooted into single user mode, did everything he wanted as root then walked away and expected that now sin= ce he's punched enough holes, he can just telnet from wherever..... | What REALLY caught me off guard is you saying "Broot" is unknown, Broot | user was there from the moment I installed FreeBSD and google search | shows it everywhere, so I'm not worried about that even though my old | version of FreeBSD didn't have a Broot. Hmm, where do I find this Broot in my system. I run FreeBSD 4.4 in all my systems. | > /bin/auth/ - man format your box asap and reinstall. You were hacked. | /usr/local/news/bin/auth/passwd/ckpasswd was the full pathname. There is no such path in my boxes. Maybe because I have not installed any n= ews apps???? Maybe someone is hiding those apps in there?? | My goal is NOT to just delete the system, that would be crazy. It seems | I have been COMPLETELY hacked, inside and out, and I have to know where | the leak was or I might end up in same position again. I am leaving | everything as is except I have installed several logging programs to try | and see WHAT this person is doing, from that I will know what damage may | have been done. Okay. Tripwire could have helped. I haven't ran it either but I wish you lu= ck. I hope the hacker doesn't wreck havoc. | =3D=3D=3D | It appears most of the files and have chmod "s" run on them, not sure | what that means but I'll check shortly.... its SOO aggrivating to be | sitting here KNOWING someone is hacking me and be forced to wait and try | and find out what they are doing... risky too. 's' is the setuid bit on a file - makes it run with root privileges. -Wash S y s t e m s A d m i n i s t r a t o r -- ~\\_ =20 Odhiambo Washington \\\\ =20 Wananchi Online Ltd., `\\\\\ =20 1st Flr Loita Hse, Loita Street |\\\\\ =20 PO Box 10286,00100-NAIROBI,KE. \\\\\|__.--~~\ =20 Fax: 254 2 313985-9 _--~ / =20 Fax: 254 2 313922 /~ ////// _-~~~~' =20 E-mail: wash@wananchi.com ('-//////-// =20 URL : http://www.wananchi.com //////(((-) =20 GSM: 254 72 743 223 / 254 733 744 121 /////" =20 _///" =20 +++ "He's not pining, he's passed on! This parrot won't squawk! He's ceased to be! He's expired, and gone to meet his maker! It's a stiff! No breath of life, he may rest in peace! If you hadn't nailed him to the perch, he'd be pushing up the daisies! He's off the twig! He's kicked the bucket! He's curled up his tooties! He's shuffled off this mortal world! He's run down the curtain, and joined the bleed'n Choir Invincible! HE'S FUCKING SNUFFED IT! Vis-a-vi his metabolic processes is head is lost. All statements concerning this parrot is no longer a going concern, after from now on, Inoperative... THIS IS AN EX-PARROT!!" --Zs/RYxT/hKAHzkfQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7zu+pn7LIsuxjem8RAoLsAKCX65rJRGrhy+Hii0vXfm2G+A+3igCfcwfu FWBTSRBZbMs0hzQpn6BRh4U= =1lDa -----END PGP SIGNATURE----- --Zs/RYxT/hKAHzkfQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message