From owner-freebsd-questions Thu Jan 1 09:10:20 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA21357 for questions-outgoing; Thu, 1 Jan 1998 09:10:20 -0800 (PST) (envelope-from owner-freebsd-questions) Received: from didda.est.is (ppp-52.est.is [194.144.208.152]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA21350 for ; Thu, 1 Jan 1998 09:10:13 -0800 (PST) (envelope-from totii@est.is) Received: from est.is (didda.est.is [192.168.255.1]) by didda.est.is (8.8.7/8.8.7) with ESMTP id RAA00494; Thu, 1 Jan 1998 17:09:30 GMT (envelope-from totii@est.is) Message-ID: <34ABCDC8.FB4E4892@est.is> Date: Thu, 01 Jan 1998 17:09:28 +0000 From: "Þorður Ivarsson" X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.5-RELEASE i386) MIME-Version: 1.0 To: Randy Katz CC: questions@FreeBSD.ORG Subject: Re: HACKED (again) References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Randy Katz wrote: > > Ok, > > Please help me out here. I shut off telnet to a particular host and had > sshd & ftpd (wu beta 15) running with access only from one other host. The > other host had telnetd running and ftpd. > > They got into the host (let's call it host1) as root somehow and changed > an index.html file of a Web Site (bragging). They erased their trail, > blew away wtmp and any log entries... > > The way I know they got in as root is .history in /root had entries of > their activity. > > The other host which could access this server via ssh had no sign of > molestation that I can see. The log files and wtmp were completely in > tact and no entries from anyone other then the intended (only 2 people > log into this machine). > > I WANT TO KNOW HOW THEY DID IT. Can anyone address this? > > I'm NOT asking for a solution about what to do. I just want to know how > they gained access. The machine is FreeBSD 2.2.5 the latest. > > Thanx again, > Randy Katz We got attack from somone that screwed up everything on our system two years ago. We tried to clean up the mess but few months later they ruined our system completely. We spent all the time we could finding vulnerable services, but I think they relinked most of the programs with some sniffers that gave them all information needed any time they needed. My advice is to try everything out very thoroughly and act like the crackers, and try everything out that I can find on the net that is said exploit security holes. Do it on another system please, some research system. -- Þórður Ívarsson Thordur Ivarsson Rafeindavirki Electronic technician Norðurgötu 30 Nordurgotu 30 Box 309 Box 309 602 Akureyri 602 Akureyri Ísland Iceland --------------------------------------------- Somtimes we have to find problem to the answer! ---------------------------------------------