From owner-freebsd-security Tue Jul 21 13:53:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA09630 for freebsd-security-outgoing; Tue, 21 Jul 1998 13:53:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA09538 for ; Tue, 21 Jul 1998 13:52:35 -0700 (PDT) (envelope-from ahd@kew.com) Received: (from ahd@localhost) by kendra.ne.mediaone.net (8.9.0/8.9.0) id QAA05632; Tue, 21 Jul 1998 16:51:58 -0400 (EDT) Date: Tue, 21 Jul 1998 16:51:58 -0400 (EDT) From: Drew Derbyshire Message-Id: <199807212051.QAA05632@kendra.ne.mediaone.net> To: security@FreeBSD.ORG Subject: hacked and don't know why Cc: dave@psyton.com, dmwatt@watt.com, greg@bbs.com, rks@kew.com, sgk@twinlight.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My firewall was hacked last night and I don't know how. Only damage is the complete loss of /dev, /bin, and /var/log directories. The system was more or less up when I checked it this morning, but I had to crash it and rebuild/reload the affected directories using the 2.2.26 live file system CD-ROM. System is FreeBSD 2.2.6 with additions of: sendmail 8.9.0 (restricted shell enabled) ftpmail (restricted to local anonymous ftp server) majordomo apache 1.3.0 (no CGI scripts enabled) samba 1.9.18.p5 firewall filtering is enabled, major services allowed include anonymous FTP, SMTP (sendmail 8.9.0), and WWW. natd is running for outbound access. I'll be happy to privately send the full firewall list to interested parties, I'm mostly not posting it to prevent it from being publicly archived. A unique service is UUCP, but that was actually unaffected by the hacking. Permissions, like those on the anonymous FTP directory, look secure. As with the firewall configuration, I can provide more information on request (I do make mistakes, like anyone). Inbound UUCP connections are restricted as part of the firewall. Only spouse and self have samba access, only few trusted friends (3) have any non-anonymous access. All outside network access requires either S/Key one time passwords or secure shell; I don't know of any passwords getting out. The samba is a little backlevel, but the known problems with fixes out for it are require the person has access to the system in question; this should not be an issue with my configuration. A sweep of the file system comparing to the 2.2.6 live file system CD-ROM shows no unexpected/unauthorized changes. Note that because the CD-ROM has the export versions of some programs, the check is not perfect since the affected programs tend to be security related. Suggestions to prevent a repeat? I'm going to build a new system from scratch to insure clean binaries and the like, but I don't know what hole I left open ... I am of course also looking at the CERT check list to see where/what I f--ked up with. -ahd- -- Drew Derbyshire Internet: ahd@kew.com Kendra Electronic Wonderworks Telephone: 781-279-9812 Copywight 1994 Elmer Fudd. All wights wesewved. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message