From owner-freebsd-security Tue Jul 21 17:07:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA17336 for freebsd-security-outgoing; Tue, 21 Jul 1998 17:07:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adam.adonai.net (adam.adonai.net [207.8.83.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA17233 for ; Tue, 21 Jul 1998 17:07:11 -0700 (PDT) (envelope-from leec@adam.adonai.net) Received: from localhost (leec@localhost) by adam.adonai.net (8.8.7/8.8.7) with SMTP id TAA05749; Tue, 21 Jul 1998 19:06:24 -0500 (CDT) (envelope-from leec@adam.adonai.net) Date: Tue, 21 Jul 1998 19:06:24 -0500 (CDT) From: "Lee Crites (ASC)" To: Drew Derbyshire cc: security@FreeBSD.ORG Subject: Re: hacked and don't know why In-Reply-To: <199807212051.QAA05632@kendra.ne.mediaone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Drew Derbyshire wrote: =>My firewall was hacked last night and I don't know how. => =>Only damage is the complete loss of /dev, /bin, and /var/log =>directories. The system was more or less up when I checked it =>this morning, but I had to crash it and rebuild/reload the =>affected directories using the 2.2.26 live file system CD-ROM. This is almost a frightening message. We were hacked like this two weeks ago. How frequently are FreeBSD systems getting hacked into? Is there even anyone who has stats on this kind of thing? In my case, the bin directories (/bin, /sbin, /usr/bin, /usr/sbin, etc) were still there, just that every program was replaced with the exact same "dummy" program. All were, as I recall, around 180k (exact same size with cmp showing no differences in any of them. The funny thing is that ls did what ls was supposed to do, ps did what it was supposed to do, etc, even though they were the same size and cmp'd as identicle. The biggest problem we had was this happened at the same time I was involved in an accident which left me with a fairly severe concussion. I knew I was too far gone to really figure out what was happening, so I just unplugged my router and rebuilt from scratch. (note: this was a realistic two day job which stretched to nearly 10 days as I recovered from the effects of the accident -- not something I'd recommend to anyone else) =>firewall filtering is enabled, major services allowed include In my case, there was no firewall. =>Suggestions to prevent a repeat? I'm going to build a new =>system from scratch to insure clean binaries and the like, but =>I don't know what hole I left open ... Ditto for the request for suggestions. Is there a FreeBSD related checklist for security issues like this? Lee =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lee Crites Adonai Services Company, Round Rock, Texas leec@adonai.net http://www.adonai.net/~leec =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message