Date: Wed, 22 Jul 1998 11:51:28 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Jim Shankland <jas@flyingfox.com> Cc: ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG Subject: Re: hacked and don't know why Message-ID: <Pine.BSF.3.96.980722114745.15193D-100000@fledge.watson.org> In-Reply-To: <199807220536.WAA11804@biggusdiskus.flyingfox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I would guess you were seeing the results of the following: 1. A botched attempt to patch ls to miss modifications to the file system 2. A botched attempt to use an lkm to intercept syscalls to hide changes to the file system The first sounds like a broken rootkit, the second is a more scary (but not hard to implement) case. If someone has written a nice lkm-based rootkit for FreeBSD, then we may be missing a lot of breakins in our counts of breakins. I would guess that the large majority of breakins go undiscovered *anyway*, so this does not bode well. If you boot off of the rescue disk, or off CD, and do an md5 of ls with a trusted copy of md5, what do you see? On Tue, 21 Jul 1998, Jim Shankland wrote: > "Lee Crites (ASC)" <leec@adam.adonai.net> writes: > > > In my case, the bin directories (/bin, /sbin, /usr/bin, > > /usr/sbin, etc) were still there, just that every program was > > replaced with the exact same "dummy" program. All were, as I > > recall, around 180k (exact same size with cmp showing no > > differences in any of them. The funny thing is that ls did what > > ls was supposed to do, ps did what it was supposed to do, etc, > > even though they were the same size and cmp'd as identicle. > > I *definitely* want to know how to squeeze every executable in > /bin, /sbin, /usr/bin, and /usr/sbin into one 180KB file. I'll > bet Jordan would, too, if he hadn't foresworn working on sysinstall :-). > > The symptoms you describe (not counting the blow to the head), as > well as Drew's, make me think "filesystem damage due to failing/flakey > hardware" before "security compromise." Can't say for sure, > of course; and in both cases, the evidence is gone. But I think > you may be jumping to conclusions a bit to assert, "We were hacked > like this two weeks ago." > > Jim Shankland > Flying Fox Computer Systems, Inc. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980722114745.15193D-100000>