From owner-freebsd-security  Mon Jul 28 11:24:12 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id LAA22738
          for security-outgoing; Mon, 28 Jul 1997 11:24:12 -0700 (PDT)
Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA22729
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 11:24:07 -0700 (PDT)
Received: from localhost (vince@localhost)
	by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id LAA05246;
	Mon, 28 Jul 1997 11:23:41 -0700 (PDT)
Date: Mon, 28 Jul 1997 11:23:40 -0700 (PDT)
From: Vincent Poy <vince@mail.MCESTATE.COM>
To: Robert Watson <robert@cyrus.watson.org>
cc: Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@FreeBSD.ORG,
        "[Mario1-]" <mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net>
Subject: Re: security hole in FreeBSD
In-Reply-To: <Pine.BSF.3.95q.970728082931.3000B-100000@cyrus.watson.org>
Message-ID: <Pine.BSF.3.95.970728111326.3844N-100000@mail.MCESTATE.COM>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, Robert Watson wrote:

=)> 	He wasn't invisible to netstat but he did do something that faked
=)> the hostname even in netstat.
=)
=)In this case, the chances are he just inserted some dud DNS entries, or
=)simply set his in-addr.arpa to something nasty.  There's nothing one can
=)do to prevent an authoritative name entry (trash or not) from being
=)accepted in DNS or DNSsec.  One thing I would like to see is logging of IP
=)address *and* hostname in the logs.  Both are useful, depending on the
=)situation.  Due to the nature of TCP, IP addresses are fairly useful in
=)tracing an attack, but often, especially after a time delay, hostnames are
=)the only way to easily contact the maintainer of the IP address.  Hostname
=)is also more useful in spotting attacks in the first place, as it's easy
=)for a user to tell when they've logged in from somewhere they haven't :).

	I don't think he can change his in-addr.arpa since he was using
his Linux machine from a Netcom ppp connection.  What he did was move
netstat to another filename so he didn't think we had access to netstat
but thanks to screen's invisibility mode and FreeBSD -current, I
recompiled the thing and reinstalled in less than 20 seconds while jbhunt
was talking to him and saw his source address as wil-de7-10.ix.netcom.com
so many thanks to jmb also here that I did on both mercury and earth:

route add -hosts his-ip our-ip -reject

	And the next thing we know, he was back from sh.janey.com so I
blocked that out too and then he came back and netstat didn't work anymore
this time.  It showed fake names such as FreeBSD.HACK.U.NOW:telnet and a
bunch of other garbage.

	According to Mario, theca@wil-de7-10.ix.netcom.com is known to be
hacking machines all over the place and no one has stopped him yet.

=)BTW, does anyone know if there is a secure logging protocol?  Syslog on
=)UDP seems a tad unreliable, not to mention opening one up from DoS.  I log
=)to a loghost, and that machine could easily suffer DoS from log flooding,
=)etc.  A simple signature arrangement using MD5 (HMAC?) similar to DNS TSIG
=)would be easy enough to arrange, and far more secure.  I assume someone,
=)somewhere has written one, or implemented one, but I haven't been
=)following the Internet Draft releases to closely.

	Yep, I think he did something to syslogd since he did come in via
a telnet connection but the tcp wrappers didn't show his connections but
all other connections were logged.

=)> =)There was a security hole some time ago in perl that allowed local users
=)> =)to gain root access... That's probably the way he got root access...
=)> =)I would check my binaries, sup and recompile.
=)> 
=)> 	Hmmm, I supped the perl from the most recent ports tree and also
=)> all the binaries are about 2 months old from the -current tree.  I thought
=)> the security hole was way before that.  What I didn't get is how did he
=)> get access to the second system (earth) when he doesn't have a account
=)> there in the first place?
=)
=)I'd be tempted to look in all the normal places -- sendmail, etc.  What
=)daemons were running on the machine?  Any web server processes?  Also, I'd
=)heavily suspect that he sniffed a password if no encrypted telnet/ssh is
=)in use..  Any use of NIS going on?  Also, .rhosts arrangements can be
=)extremely unhappy if we already know (s)he is messing with DNS entries.

	sendmail is running as well as apache httpd...  ftpd, telnetd, and
ircd.  No NIS.   ALl I know was he managed to changed everyone's .rhosts
file when it doesn't exist originally and the contents just had:
+ +
in it.


Cheers,
Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]