From owner-freebsd-hackers@FreeBSD.ORG Fri Dec 17 16:52:05 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B054A16A4CE; Fri, 17 Dec 2004 16:52:05 +0000 (GMT) Received: from mail.revolutionsp.com (ganymede.revolutionsp.com [64.246.0.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34AAA43D2D; Fri, 17 Dec 2004 16:52:05 +0000 (GMT) (envelope-from security@revolutionsp.com) Received: from mail.revolutionsp.com (localhost [127.0.0.1]) by mail.revolutionsp.com (Postfix) with ESMTP id 60AA615C9C; Fri, 17 Dec 2004 07:47:35 -0600 (CST) Received: from 81.84.175.77 (SquirrelMail authenticated user security@revolutionsp.com); by mail.revolutionsp.com with HTTP; Fri, 17 Dec 2004 07:47:35 -0600 (CST) Message-ID: <65182.81.84.175.77.1103291255.squirrel@81.84.175.77> In-Reply-To: <6.2.0.14.2.20041216195558.030b0eb0@202.179.0.80> References: <6.2.0.14.2.20041216195558.030b0eb0@202.179.0.80> Date: Fri, 17 Dec 2004 07:47:35 -0600 (CST) From: security@revolutionsp.com To: "Ganbold" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Mailman-Approved-At: Sat, 18 Dec 2004 13:32:00 +0000 cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell server X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 16:52:05 -0000 You should have a script that creates a new user when people login with 'new'. Have you forbid that script from overwriting your wheel account and re-creating root? > Hi, > > Sorry for cross posting. > > I have with FreeBSD 5.3-stable server which serves as a public shell > server. > > FreeBSD public.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Nov 24 > 15:55:36 ULAT 2004 tsgan@public.ub.mng.net:/usr/obj/usr/src/sys/PSH > i386 > > It has ssh and proftp-1.2.10 daemons. > > However it was hacked and I'm trying to analyze it and having some > difficulties. > > Machine is configured in such way that everyone can create an account > itself. > Some user dir permissions: > ... > drwxr-xr-x 2 root wheel 512 Mar 29 2004 new > drwx------ 3 tamiraad unix 512 Apr 9 2004 tamiraad > drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan > drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi > drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix > ... > User should log on as new with password new to create an account. > > Accounting is enabled and kern.securelevel is set to 2. > Only one account 'tsgan' is in wheel group and only tsgan gan become root > using su. > > Following is the some strange output from grave-robber (coroner toolkit): > ... > Dec 13 04 20:18:40 5 m.c -rw-rw---- tugstugi > smmsp /var/spool/clientmqueue/dfiBDCIeD0001529 > Dec 13 04 20:34:58 512 m.. drwx------ tugstugi unix > /home/tugstugi > Dec 13 04 20:35:57 512 ..c drwx------ tugstugi unix > /home/tugstugi > Dec 14 04 00:19:56 0 m.c -rw-rw-rw- tugstugi > unix /home/tugstugi/.myrc > > Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi > unix /home/tsgan/.tmp/known_hosts > 9665 m.c -rw-r--r-- tugstugi > unix /home/tugstugi/.ssh/known_hosts > > Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi > unix /home/tugstugi/.shrc > ... > Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to > home/tsgan/.tmp/known_hosts. > I don't know why. > > > Following is lastcomm output: > ... > sshd -F tugstugi __ 0.16 secs Tue Dec 14 > 23:01 > sh - tugstugi #C:5:0x1 0.03 secs Tue Dec 14 > 23:02 > su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 > 23:38 > ... > sshd -F tugstugi __ 0.08 secs Tue Dec 14 > 22:41 > sh - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 > 22:41 > who - tugstugi #C:5:0x1 0.00 secs Tue Dec 14 > 22:52 > su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 > 22:48 > sh - tsgan #C:5:0x1 0.00 secs Tue Dec 14 > 22:48 > ls - tsgan #C:5:0x1 0.00 secs Tue Dec 14 > 22:52 > su - tsgan #C:5:0x1 0.02 secs Tue Dec 14 > 22:49 > csh - root #C:5:0x1 0.03 secs Tue Dec 14 > 22:49 > ... > > In above I think he already hijacked my account and root password so he > used su to > become root. > > sshd -F tsgan __ 0.02 secs Tue Dec 14 > 00:27 > sh - tsgan ttyp0 0.02 secs Tue Dec 14 > 00:27 > cat - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:28 > su - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:28 > sleep - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > ^^^^^^ > stty - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > stty - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > ^^^^^^ > fortune - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > ... > > I don't quite understand why he used sleep and stty commands in above. > My suspect is tty hijacking. Am I right? Correct me if I'm wrong. > > sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > ... > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > ls - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 > 00:23 > sh - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 > 00:23 > cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > sleep - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > fortune - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > ... > One more strange thing is "#C:5:0x2". What is this? > > Again I'm suspecting that, this guy hijacked my tty and got tsgan and then > he could log my keystroke and > get root password. Am I right? > > Please give me some advice and info regarding this kind of hack. > What should I do in order to secure my shell server? I mean except > securelevel, unneeded services etc. > Can somebody give me some hints on file and directory permissions? > Is there anybody who has similar server config and already had such issues > and problems? > I appreciate very much if somebody will help me in this regard. > > thanks in advance, > > Ganbold > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >