From owner-freebsd-questions Thu Oct 18 8:47:42 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail-relay1.mirrorimage.net (mail-relay1.mirrorimage.net [209.58.140.11]) by hub.freebsd.org (Postfix) with ESMTP id 355B937B401 for ; Thu, 18 Oct 2001 08:47:31 -0700 (PDT) Received: from leblanc.mirrorimage.net (leblanc.mirrorimage.net [209.192.210.146]) by mail-relay1.mirrorimage.net (8.9.3/8.9.3) with ESMTP id LAA19722 for ; Thu, 18 Oct 2001 11:47:30 -0400 Received: (from leblanc@localhost) by leblanc.mirrorimage.net (8.11.6/8.11.4) id f9IFm6x23072 for freebsd-questions@freebsd.org; Thu, 18 Oct 2001 11:48:06 -0400 (EDT) (envelope-from leblanc) Date: Thu, 18 Oct 2001 11:48:06 -0400 From: Louis LeBlanc To: FBSD-Q Subject: Re: I got hacked, I think Message-ID: <20011018114805.E70327@acadia.ne.mediaone.net> Reply-To: freebsd-questions@freebsd.org Mail-Followup-To: FBSD-Q References: <20011018131823.Y621-100000@jodie.ncptiddische.net> <011e01c157cf$9b401700$f6f073d1@mpionline.com> <20011018165057.V3734@ns2.wananchi.com> <01e701c157e4$f012abc0$f6f073d1@mpionline.com> <20011018180513.C3734@ns2.wananchi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20011018180513.C3734@ns2.wananchi.com> User-Agent: Mutt/1.3.22.1i X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 10/18/01 06:05 PM, Odhiambo Washington sat at the `puter and typed: > * Tomek [20011018 17:54]: writing on the subject 'Re: I got hacked, I think' > > > > Maybe someone walked onto your machine, rebooted into single user mode, > did everything he wanted as root then walked away and expected that now since > he's punched enough holes, he can just telnet from wherever..... One reason why a bootup password would help on a system you can't keep physically secure. > | What REALLY caught me off guard is you saying "Broot" is unknown, Broot > | user was there from the moment I installed FreeBSD and google search > | shows it everywhere, so I'm not worried about that even though my old > | version of FreeBSD didn't have a Broot. > > Hmm, where do I find this Broot in my system. I run FreeBSD 4.4 in all my > systems. I don't have a Broot either. What version of FreeBSD are you running? I have root and toor as the only uid 0 accounts. > | > /bin/auth/ - man format your box asap and reinstall. You were hacked. > | /usr/local/news/bin/auth/passwd/ckpasswd was the full pathname. This is probably part of the inn port. This person may have set you up to run a news server. Check your firewall script against a backup copy and see if that port (119) was opened up. > There is no such path in my boxes. Maybe because I have not installed any news > apps???? Maybe someone is hiding those apps in there?? If you find the package installed by the port (pkg_info | grep news), you can simply delete it with pkg_delete inn-2.3.2_2 (or whatever). If there are some other configs and/or programs hidden within the /usr/local/news/ directory tree, it will show up as an error of some kind I think. Then if it doesn't remove the /usr/local/news directory, you can either remove it manually or rename it so you can take a look at it later (if there is some kind of backdoor being used to send him info on your security changes, he has to be sending them somewhere . . .). > | My goal is NOT to just delete the system, that would be crazy. It seems > | I have been COMPLETELY hacked, inside and out, and I have to know where > | the leak was or I might end up in same position again. I am leaving > | everything as is except I have installed several logging programs to try > | and see WHAT this person is doing, from that I will know what damage may > | have been done. I'd say backup everything for evidence/tracking/study/etc. and reinstall. This time set a boot password at the bios level and set up a very tight firewall. And don't allow telnet. Just disable it at inetd.conf. > Okay. Tripwire could have helped. I haven't ran it either but I wish you luck. > I hope the hacker doesn't wreck havoc. Tripwire would only have given you an idea where the hacker made his changes. I have found that it really gives a lot of false hits if you simply reboot the machine. > | === > | It appears most of the files and have chmod "s" run on them, not sure > | what that means but I'll check shortly.... its SOO aggrivating to be > | sitting here KNOWING someone is hacking me and be forced to wait and try > | and find out what they are doing... risky too. > > > 's' is the setuid bit on a file - makes it run with root privileges. Provided it is owned by root. But this may be a sign that some or all of these files have been replaced with insecure versions that can be used to regain control of your machine. Some may even have an added ability to send access info to the hacker in the event you change things, or the ability to open a hole back up in your firewall. > +++ > "He's not pining, he's passed on! This parrot won't squawk! He's > ceased to be! He's expired, and gone to meet his maker! It's a > stiff! No breath of life, he may rest in peace! If you hadn't nailed > him to the perch, he'd be pushing up the daisies! He's off the twig! > He's kicked the bucket! He's curled up his tooties! He's shuffled off > this mortal world! He's run down the curtain, and joined the bleed'n > Choir Invincible! HE'S FUCKING SNUFFED IT! Vis-a-vi his metabolic > processes is head is lost. All statements concerning this parrot is no > longer a going concern, after from now on, Inoperative... > > THIS IS AN EX-PARROT!!" I'm afraid this may actually apply to your machine - at least as far as security is concerned. You really should rebuild, even if you do backup the hacked system. :( Good luck Lou -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ program, n.: A magic spell cast over a computer allowing it to turn one's input into error messages. tr.v. To engage in a pastime similar to banging one's head against a wall, but with fewer opportunities for reward. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message