Date: Thu, 30 Nov 95 07:48:42 -0800 From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca> To: "Jordan K. Hubbard" <jkh@time.cdrom.com>, Robert Du Gaue <rdugaue@calweb.com> Cc: security@FreeBSD.org, cy@passer.osg.gov.bc.ca Subject: Re: ****HELP***** Message-ID: <199511301548.HAA08436@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Wed, 29 Nov 95 23:48:11 PST." <7921.817717691@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[header information deleted]
>
> Well, we've got a major problem I'm hoping you can solve. Yesterday a
> user (know pirate) pissed off another hacker and somehow he got into the
> system and deleted the users directory, took our pw file (cated out in an
> IRC channel with the encrypted pws). We immediately check our systems,
> found sendmail to be 8.9, upgraded all these sendmails to 8.7, blocked 2
> class addresses that he may have came from, removed root from ftp on one
> of the machines, and deleted all the lp stuff (since we have no printers).
Sendmail 8.7.2 is the latest version. 8.7 does have a hole where it may be
exploited using the syslog() bug.
If you don't receive mail on all of your systems, don't run sendmail on the
systems that don't need it. If you do run it out of inetd with the "-bs"
option, then add a line to crontab with the "-q" option.
>
> Checked for suid programs. Well, we restored the directory, and it got
> deleted again tonight. We have no idea how he is doing this. He's changed
> a the /etc/raddb/users file (removed the user from the file) also. In a
> word, I'm stuck, we're unsure of how he's doing it and I'm very scared
> right now that he'll do something major to the system.
Hackers love to leave backdoors. Check the size and checksum (MD5) of your
login program with that of a system you know has not been compromised.
Since you have more than one machine, don't trust your other machines. They
may have been attacked too. Look in the /dev directory for files that should
not be there, e.g. plaintext files or programs. Make sure that all of the
users in your password file are legitimate.
Verify that your ps and netstat programs are intact. There may be a daemon
running on your system that could allow the hacker to login as root. Make
sure your rc.local file has not been altered nor any bogus entries in your
root crontab created.
Are you running NIS? If so, block those ports to outside access. Also block
ports 512 and 520, exec and route.
If you don't provide telnet service to your customers, wrap it. Disallow all
"r" commands (you may allow them between your hosts, however that guarentees
that if one system is compromised all of them are).
Considering the fact that the hacker has removed the user from your radius
users file, the hacker knows something about radius. Block your radius port.
Only allow your portmaster to talk to that port. (My first impression of
the freely available Radius source code was very poor).
Of course, block finger, nfs, portmap (or install portmap3 with TCP/Wrapper
extensions), and tftp, just to name a few.
These are just a few ideas that come to mind. There are many more. Check the
latest CERT advisory. They discuss the recent flurry of hacker activity in
it.
I hope this helps.
Regards, Phone: (604)389-3827
Cy Schubert OV/VM: BCSC02(CSCHUBER)
Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET
BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199511301548.HAA08436>