Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Dec 2004 07:47:35 -0600 (CST)
From:      security@revolutionsp.com
To:        "Ganbold" <ganbold@micom.mng.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Strange command histories in hacked shell server
Message-ID:  <65182.81.84.175.77.1103291255.squirrel@81.84.175.77>
In-Reply-To: <6.2.0.14.2.20041216195558.030b0eb0@202.179.0.80>
References:  <6.2.0.14.2.20041216195558.030b0eb0@202.179.0.80>

next in thread | previous in thread | raw e-mail | index | archive | help
You should have a script that creates a new user when people login with
'new'. Have you forbid that script from overwriting your wheel account and
re-creating root?

> Hi,
>
> Sorry for cross posting.
>
> I have with FreeBSD 5.3-stable server which serves as a public shell
> server.
>
> FreeBSD public.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Nov 24
> 15:55:36 ULAT 2004     tsgan@public.ub.mng.net:/usr/obj/usr/src/sys/PSH
> i386
>
> It has ssh and proftp-1.2.10 daemons.
>
> However it was hacked and I'm trying to analyze it and having some
> difficulties.
>
> Machine is configured in such way that everyone can create an account
> itself.
> Some user dir permissions:
> ...
> drwxr-xr-x  2 root       wheel         512 Mar 29  2004 new
> drwx------  3 tamiraad   unix          512 Apr  9  2004 tamiraad
> drwxr-xr-x  6 tsgan      tsgan        1024 Dec 16 17:51 tsgan
> drwx------  4 tugstugi   unix          512 Dec 13 20:34 tugstugi
> drwxr-xr-x  5 unix       unix          512 Dec 13 12:37 unix
> ...
> User should log on as new with password new to create an account.
>
> Accounting is enabled and kern.securelevel is set to 2.
> Only one account 'tsgan' is in wheel group and only tsgan gan become root
> using su.
>
> Following is the some strange output from grave-robber (coroner toolkit):
> ...
> Dec 13 04 20:18:40        5 m.c -rw-rw---- tugstugi
> smmsp    /var/spool/clientmqueue/dfiBDCIeD0001529
> Dec 13 04 20:34:58      512 m.. drwx------ tugstugi unix
> /home/tugstugi
> Dec 13 04 20:35:57      512 ..c drwx------ tugstugi unix
> /home/tugstugi
> Dec 14 04 00:19:56        0 m.c -rw-rw-rw- tugstugi
> unix     /home/tugstugi/.myrc
>
> Dec 14 04 00:20:50     9665 m.. -rw-r--r-- tugstugi
> unix     /home/tsgan/.tmp/known_hosts
>                         9665 m.c -rw-r--r-- tugstugi
> unix     /home/tugstugi/.ssh/known_hosts
>
> Dec 15 04 19:12:21     1002 m.c -rw------- tugstugi
> unix     /home/tugstugi/.shrc
> ...
> Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to
> home/tsgan/.tmp/known_hosts.
> I don't know why.
>
>
> Following is lastcomm output:
> ...
> sshd             -F      tugstugi         __         0.16 secs Tue Dec 14
> 23:01
> sh               -       tugstugi         #C:5:0x1   0.03 secs Tue Dec 14
> 23:02
> su               -       tugstugi         #C:5:0x1   0.02 secs Tue Dec 14
> 23:38
> ...
> sshd             -F      tugstugi         __         0.08 secs Tue Dec 14
> 22:41
> sh               -       tugstugi         #C:5:0x1   0.02 secs Tue Dec 14
> 22:41
> who              -       tugstugi         #C:5:0x1   0.00 secs Tue Dec 14
> 22:52
> su               -       tugstugi         #C:5:0x1   0.02 secs Tue Dec 14
> 22:48
> sh               -       tsgan            #C:5:0x1   0.00 secs Tue Dec 14
> 22:48
> ls               -       tsgan            #C:5:0x1   0.00 secs Tue Dec 14
> 22:52
> su               -       tsgan            #C:5:0x1   0.02 secs Tue Dec 14
> 22:49
> csh              -       root             #C:5:0x1   0.03 secs Tue Dec 14
> 22:49
> ...
>
> In above I think he already hijacked my account and root password so he
> used su to
> become root.
>
> sshd             -F      tsgan            __         0.02 secs Tue Dec 14
> 00:27
> sh               -       tsgan            ttyp0      0.02 secs Tue Dec 14
> 00:27
> cat              -       tsgan            ttyp0      0.00 secs Tue Dec 14
> 00:28
> su               -       tsgan            ttyp0      0.00 secs Tue Dec 14
> 00:28
> sleep            -       tsgan            ttyp0      0.00 secs Tue Dec 14
> 00:27
> ^^^^^^
> stty             -       tsgan            ttyp0      0.00 secs Tue Dec 14
> 00:27
> stty             -       tsgan            ttyp0      0.00 secs Tue Dec 14
> 00:27
> ^^^^^^
> fortune          -       tsgan            ttyp0      0.00 secs Tue Dec 14
> 00:27
> ...
>
> I don't quite understand why he used sleep and stty commands in above.
> My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
>
> sleep            -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:24
> stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:24
> stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:24
> ...
> id               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:24
> sleep            -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:24
> stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:24
> stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:24
> id               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:24
> cat              -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14
> 00:24
> ls               -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14
> 00:24
> su               -       tsgan            #C:5:0x2   0.02 secs Tue Dec 14
> 00:23
> sh               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:23
> ls               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:23
> id               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:23
> ls               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:23
> sleep            -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:23
> stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:23
> stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:23
> ls               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:23
> id               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:23
> ls               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14
> 00:23
> cat              -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14
> 00:23
> su               -       tsgan            #C:5:0x2   0.02 secs Tue Dec 14
> 00:23
> cat              -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14
> 00:22
> sleep            -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14
> 00:22
> stty             -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14
> 00:22
> stty             -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14
> 00:22
> fortune          -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14
> 00:22
> ...
> One more strange thing is "#C:5:0x2". What is this?
>
> Again I'm suspecting that, this guy hijacked my tty and got tsgan and then
> he could log my keystroke and
> get root password. Am I right?
>
> Please give me some advice and info regarding this kind of hack.
> What should I do in order to secure my shell server? I mean except
> securelevel, unneeded services etc.
> Can somebody give me some hints on file and directory permissions?
> Is there anybody who has similar server config and already had such issues
> and problems?
> I appreciate very much if somebody will help me in this regard.
>
> thanks in advance,
>
> Ganbold
>
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?65182.81.84.175.77.1103291255.squirrel>