Date: Mon, 28 Jul 1997 11:23:40 -0700 (PDT) From: Vincent Poy <vince@mail.MCESTATE.COM> To: Robert Watson <robert@cyrus.watson.org> Cc: Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@FreeBSD.ORG, "[Mario1-]" <mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net> Subject: Re: security hole in FreeBSD Message-ID: <Pine.BSF.3.95.970728111326.3844N-100000@mail.MCESTATE.COM> In-Reply-To: <Pine.BSF.3.95q.970728082931.3000B-100000@cyrus.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 28 Jul 1997, Robert Watson wrote: =)> He wasn't invisible to netstat but he did do something that faked =)> the hostname even in netstat. =) =)In this case, the chances are he just inserted some dud DNS entries, or =)simply set his in-addr.arpa to something nasty. There's nothing one can =)do to prevent an authoritative name entry (trash or not) from being =)accepted in DNS or DNSsec. One thing I would like to see is logging of IP =)address *and* hostname in the logs. Both are useful, depending on the =)situation. Due to the nature of TCP, IP addresses are fairly useful in =)tracing an attack, but often, especially after a time delay, hostnames are =)the only way to easily contact the maintainer of the IP address. Hostname =)is also more useful in spotting attacks in the first place, as it's easy =)for a user to tell when they've logged in from somewhere they haven't :). I don't think he can change his in-addr.arpa since he was using his Linux machine from a Netcom ppp connection. What he did was move netstat to another filename so he didn't think we had access to netstat but thanks to screen's invisibility mode and FreeBSD -current, I recompiled the thing and reinstalled in less than 20 seconds while jbhunt was talking to him and saw his source address as wil-de7-10.ix.netcom.com so many thanks to jmb also here that I did on both mercury and earth: route add -hosts his-ip our-ip -reject And the next thing we know, he was back from sh.janey.com so I blocked that out too and then he came back and netstat didn't work anymore this time. It showed fake names such as FreeBSD.HACK.U.NOW:telnet and a bunch of other garbage. According to Mario, theca@wil-de7-10.ix.netcom.com is known to be hacking machines all over the place and no one has stopped him yet. =)BTW, does anyone know if there is a secure logging protocol? Syslog on =)UDP seems a tad unreliable, not to mention opening one up from DoS. I log =)to a loghost, and that machine could easily suffer DoS from log flooding, =)etc. A simple signature arrangement using MD5 (HMAC?) similar to DNS TSIG =)would be easy enough to arrange, and far more secure. I assume someone, =)somewhere has written one, or implemented one, but I haven't been =)following the Internet Draft releases to closely. Yep, I think he did something to syslogd since he did come in via a telnet connection but the tcp wrappers didn't show his connections but all other connections were logged. =)> =)There was a security hole some time ago in perl that allowed local users =)> =)to gain root access... That's probably the way he got root access... =)> =)I would check my binaries, sup and recompile. =)> =)> Hmmm, I supped the perl from the most recent ports tree and also =)> all the binaries are about 2 months old from the -current tree. I thought =)> the security hole was way before that. What I didn't get is how did he =)> get access to the second system (earth) when he doesn't have a account =)> there in the first place? =) =)I'd be tempted to look in all the normal places -- sendmail, etc. What =)daemons were running on the machine? Any web server processes? Also, I'd =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is =)in use.. Any use of NIS going on? Also, .rhosts arrangements can be =)extremely unhappy if we already know (s)he is messing with DNS entries. sendmail is running as well as apache httpd... ftpd, telnetd, and ircd. No NIS. ALl I know was he managed to changed everyone's .rhosts file when it doesn't exist originally and the contents just had: + + in it. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970728111326.3844N-100000>