Date: Fri, 27 Jun 1997 16:57:40 +1000 From: David Nugent <davidn@labs.usn.blaze.net.au> To: "Jordan K. Hubbard" <jkh@time.cdrom.com>, Sean Kelly <kelly@fsl.noaa.gov>, security@freebsd.org Subject: Re: Attempt to compromise root Message-ID: <199706270657.QAA00874@labs.usn.blaze.net.au> In-Reply-To: Your message of "Fri, 20 Jun 1997 11:20:48 MST." <25515.866830848@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I've tried ftp'ing to the.art.of.sekurity.org and have been successful > > only once, but haven't been able to transfer any files. sekurity.org > > appears registered to a organization called "Insekurity, Inc.". > > I've got the contents of the site mirrored now and I'll have a look > through some of it as I have time. It's possible that there are > some genuine compromises here, but it's hard to say. I doubt you'll see much via the anon-ftp login. Like the warez d00dz, these sites hide their l33t stuff behind alternative logins. FWIW, this attempt looks very similar (even source flie names) to things I've seen from time to time as well. Typical, yes. I had one guy once have a working exploit, but he didn't realise you had to run it twice, so he didn't get root, then left the evidence sitting around. Of course, it wasn't the would-be crackers account, so I guess they didn't care. We were lucky then, and having only months previously been successfully hacked, we had a full md5 of all binaries and very recent config and were confident that root was not compromised. > > (2) Can we get an option during the FreeBSD install to generate the > > md5/mtree digest? Naturally, I read up on this feature after the > > You mean of the exact tree you've installed? Hmmmm. There are > the foo.mtree files in each distribution, but is there some reason > why that wouldn't be enough? md5 checksums would be the go. But there are tools in existence that already do this available on many/most UNIX security-related sites. I know that security is an important issue for many people, but I'm not sure that other than ensuring that there are no /defects/ in the base operating system that it is a role that FreeBSD should provide anything more. Not to mention that some people who run unconnected to any network, or at least any 'hostile' network don't need these things anyway. Having these things as part of the base operating system is more likely to have the reverse effect from what is desired. For example, some Linux distributions come with tcp wrappers installed in the 'standard' install, but how many Linux sites actually use it or even know HOW to use it, and in some cases that it is even there? Of if they do, do they make the usually fatal mistake of assuming that because it is installed and presumably functioning, that they are somehow more secure? Making the tools available is a very minor part of the process - the system administrator needs to understand and use these tools judiciously. No security tool is "install and forget" - that isn't their nature. Having the person fetch the package, install it and READ THE DOCUMENTATION are the most important steps in securing a system. Regards, David David Nugent - Unique Computing Pty Ltd - Melbourne, Australia Voice +61-3-9791-9547 Data/BBS +61-3-9792-3507 3:632/348@fidonet davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706270657.QAA00874>