From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 05:08:59 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11E6C16A4CE for ; Thu, 13 Jan 2005 05:08:59 +0000 (GMT) Received: from main.uucpssh.org (main.uucpssh.org [212.27.33.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7506643D2D for ; Thu, 13 Jan 2005 05:08:58 +0000 (GMT) (envelope-from dan@specialk.af0.net) Received: from localhost (localhost [127.0.0.1]) by main.uucpssh.org (Postfix) with ESMTP id 2E52C6C9C0; Thu, 13 Jan 2005 06:08:57 +0100 (CET) Received: by main.uucpssh.org (Postfix, from userid 10) id 5732D6C9C7; Thu, 13 Jan 2005 06:08:54 +0100 (CET) Received: by specialk.af0.net (Postfix, from userid 1000) id EE19D920E8A; Thu, 13 Jan 2005 00:03:13 -0500 (EST) Date: Thu, 13 Jan 2005 00:03:13 -0500 From: Dan Margolis To: JohnG Message-ID: <20050113050313.GB3475@specialk> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i X-Mailman-Approved-At: Thu, 13 Jan 2005 15:29:46 +0000 cc: FreeBSD-security@freebsd.org Subject: Re: Intrusion Suspected, Advice Sought X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 05:08:59 -0000 On Thu, Jan 06, 2005 at 08:29:20PM -0800, JohnG wrote: > I've worked on this machine for about 17 > months, and I know its rhythms and what should be what. It doesn't sound like you have a lot of evidence for a deliberate intrusion versus a system anomoly, but let's entertain the notion for a bit. - The most likely attack vectors are not remote active attacks--you are, after all, firewalled and not running any listening services, right?--but rather a variety of passive attacks: trojans, Web-based attacks, etc. As in the case of the telnet://, disk://, help://, etc URI handler vulnerabilities, it is possible for a malicious Website to execute arbitrary code when you visit it - If an attacker wanted to preserve access, he'd almost certainly install a backdoor. There are certainly ways to install a network backdoor on a machine that doesn't have remote access facilities without adding an obvious listening service, but since you're behind a firewall, it's hard to imagine this happening, especially for a relatively low-value target as your desktop PC (unless you're not telling us something about your day job--are you a narc or something? ;) In other words, the likely scenario here is a passive attack as the initial intrusion, with a very sneaky backdoor as the follow up. It's hard to imagine this combination; why go to such trouble for a target likely to be %5 of your hits (unless you're a Mac site or something), a large chunk of which wont be vulnerable anyway? It just strikes me as improbable. Anyway, to regain confidence, your best bet would indeed be a reinstall, but your primary concern (barring buffer overflows via specially crafted documents, etc) should be executables. If you do an archive reinstall and replace all your third party apps, you'll replace all those without losing your documents, and you're most likely pretty safe. Another proactive approach is to use something like Samhain, AIDE, or Tripwire--a Host-based Intrusion Detection System. They should work as well on OSX as they do on FreeBSD. Sorry for the off topic thread, folks. But I was hoping I could be of a little bit of service. -- Dan