From owner-freebsd-security Wed Jul 22 08:53:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA23967 for freebsd-security-outgoing; Wed, 22 Jul 1998 08:53:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA23950 for ; Wed, 22 Jul 1998 08:52:54 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA15746; Wed, 22 Jul 1998 11:51:28 -0400 (EDT) Date: Wed, 22 Jul 1998 11:51:28 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Jim Shankland cc: ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG Subject: Re: hacked and don't know why In-Reply-To: <199807220536.WAA11804@biggusdiskus.flyingfox.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would guess you were seeing the results of the following: 1. A botched attempt to patch ls to miss modifications to the file system 2. A botched attempt to use an lkm to intercept syscalls to hide changes to the file system The first sounds like a broken rootkit, the second is a more scary (but not hard to implement) case. If someone has written a nice lkm-based rootkit for FreeBSD, then we may be missing a lot of breakins in our counts of breakins. I would guess that the large majority of breakins go undiscovered *anyway*, so this does not bode well. If you boot off of the rescue disk, or off CD, and do an md5 of ls with a trusted copy of md5, what do you see? On Tue, 21 Jul 1998, Jim Shankland wrote: > "Lee Crites (ASC)" writes: > > > In my case, the bin directories (/bin, /sbin, /usr/bin, > > /usr/sbin, etc) were still there, just that every program was > > replaced with the exact same "dummy" program. All were, as I > > recall, around 180k (exact same size with cmp showing no > > differences in any of them. The funny thing is that ls did what > > ls was supposed to do, ps did what it was supposed to do, etc, > > even though they were the same size and cmp'd as identicle. > > I *definitely* want to know how to squeeze every executable in > /bin, /sbin, /usr/bin, and /usr/sbin into one 180KB file. I'll > bet Jordan would, too, if he hadn't foresworn working on sysinstall :-). > > The symptoms you describe (not counting the blow to the head), as > well as Drew's, make me think "filesystem damage due to failing/flakey > hardware" before "security compromise." Can't say for sure, > of course; and in both cases, the evidence is gone. But I think > you may be jumping to conclusions a bit to assert, "We were hacked > like this two weeks ago." > > Jim Shankland > Flying Fox Computer Systems, Inc. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message