Date: Thu, 3 Dec 1998 11:55:15 -0800 (PST) From: Doug White <dwhite@resnet.uoregon.edu> To: Mike Alich <mike@cctinc.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Important Message-ID: <Pine.BSF.4.03.9812031149160.12937-100000@resnet.uoregon.edu> In-Reply-To: <3666B40D.18E11DEC@cctinc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 3 Dec 1998, Mike Alich wrote:
> I need some help. My server got hacked into last week and I found out
> that they moved in a new version of login and a few other remote access
> type of programs. I also noticed they had a file called login.cgi in a
> particular web directory. Could they have modified login.c and placed
> it for apache to execute and change my root password or login as root
> from a web browser? Or better yet cp the login.c modify it and execute
> it in a standard users directory under that user name and log in as root
> without the root password?
Since I just had to deal with this last night ..
It's quite possible they modified login, probably to log passwords, have a
backdoor, or whatever. I'd suggest the following:
1) Remove all suspicious .cgi's, applications (esp. in /usr/local/*), and
logfiles to a safe location. Try to maintain the owner/group and
modification timestamp. Don't modify or delete these files -- you may
want them later!!
2) Use 'mtree' and the images in /etc/mtree to verify the integrity of
the system binaries. mtree should complain about 'login' that the
size and datestamp don't match. Same for any other modified file.
Replace modified files from the FreeBSD CDROM (CD 2 is great for
this).
3) Change your password and anyone's who has logged in since the breakin.
Consider using ssh which does not call login with a password.
4) Try to find the entry point and close it up. Are you running imap or
any of the r*-utilites? Try running 'file login' to identify the
type and 'strings login' to see if a logfile is hardcoded in the app.
> I know one of the people that hacked the system. This user had ftp but
> not telnet acces into the server. But he may have had someone else
> password for telnet. This is an ex sysadm. But he never had the root
> password or my own personal password. And I know this for a fact.
He does now -- you had to use /usr/bin/login to login, and it probably
logs to a file somewhere.
> Also can you tell me which login program is execute when you goto login
> into the system. I mean which directory is this program located in?
/usr/bin/login
Doug White
Internet: dwhite@resnet.uoregon.edu | FreeBSD: The Power to Serve
http://gladstone.uoregon.edu/~dwhite | www.freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.03.9812031149160.12937-100000>