Date: Tue, 21 Jul 1998 16:51:58 -0400 (EDT) From: Drew Derbyshire <ahd@kew.com> To: security@FreeBSD.ORG Cc: dave@psyton.com, dmwatt@watt.com, greg@bbs.com, rks@kew.com, sgk@twinlight.com Subject: hacked and don't know why Message-ID: <199807212051.QAA05632@kendra.ne.mediaone.net>
next in thread | raw e-mail | index | archive | help
My firewall was hacked last night and I don't know how. Only damage is the complete loss of /dev, /bin, and /var/log directories. The system was more or less up when I checked it this morning, but I had to crash it and rebuild/reload the affected directories using the 2.2.26 live file system CD-ROM. System is FreeBSD 2.2.6 with additions of: sendmail 8.9.0 (restricted shell enabled) ftpmail (restricted to local anonymous ftp server) majordomo apache 1.3.0 (no CGI scripts enabled) samba 1.9.18.p5 firewall filtering is enabled, major services allowed include anonymous FTP, SMTP (sendmail 8.9.0), and WWW. natd is running for outbound access. I'll be happy to privately send the full firewall list to interested parties, I'm mostly not posting it to prevent it from being publicly archived. A unique service is UUCP, but that was actually unaffected by the hacking. Permissions, like those on the anonymous FTP directory, look secure. As with the firewall configuration, I can provide more information on request (I do make mistakes, like anyone). Inbound UUCP connections are restricted as part of the firewall. Only spouse and self have samba access, only few trusted friends (3) have any non-anonymous access. All outside network access requires either S/Key one time passwords or secure shell; I don't know of any passwords getting out. The samba is a little backlevel, but the known problems with fixes out for it are require the person has access to the system in question; this should not be an issue with my configuration. A sweep of the file system comparing to the 2.2.6 live file system CD-ROM shows no unexpected/unauthorized changes. Note that because the CD-ROM has the export versions of some programs, the check is not perfect since the affected programs tend to be security related. Suggestions to prevent a repeat? I'm going to build a new system from scratch to insure clean binaries and the like, but I don't know what hole I left open ... I am of course also looking at the CERT check list to see where/what I f--ked up with. -ahd- -- Drew Derbyshire Internet: ahd@kew.com Kendra Electronic Wonderworks Telephone: 781-279-9812 Copywight 1994 Elmer Fudd. All wights wesewved. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807212051.QAA05632>