Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Jan 2006 15:56:32 +0200
From:      Kilian Hagemann <hagemann1@egs.uct.ac.za>
To:        freebsd-questions@freebsd.org
Subject:   I have been hacked (WAS: Have I been hacked or is nmap wrong?)
Message-ID:  <200601181556.33030.hagemann1@egs.uct.ac.za>
In-Reply-To: <20060118123451.GA69630@abbott.allenmyland.com>
References:  <200601171907.17831.hagemann1@egs.uct.ac.za> <200601181129.38634.hagemann1@egs.uct.ac.za> <20060118123451.GA69630@abbott.allenmyland.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wednesday 18 January 2006 14:34, Ken Stevenson pondered:
> Is there any chance you have a router that's forwarding the ports
> in question to another computer?

Not that I know of. The setup is quite simple:

     wireless           ethernet(PPPoE)              ethernet
ISP<------->Modem<------>FreeBSD gateway<------->LAN

FreeBSD is my router with ppp -ddial -nat and a custom ipfw script that blocks 
all incoming connections while allowing legitimate traffic out (with 
keep-state rules).

Check this out: ftp <my_server> gives

220 Frox transparent ftp proxy. Login with username[@host[:port]]
Name (...)

I have never even heard of "frox" before, but after some googling it turns out 
that it's a GPL'ed transparent ftp proxy...

Also, I said smtp ports were open on the machines in question, I just verified 
that I can send emails via BOTH these systems even though no 
sendmail/exim/whatever was ever installed by me and sendmail_enable="None" on 
both.

My servers have been compromised, fantastic. And that with an initial 
firewall'ed setup that left NO open ports (I verified that a while ago with 
nmap). So much for my impression that FreeBSD was secure.

How could this have happened? ipfw buffer overflow? Some other unknown 
vulnerability?

I really wanna find out how they got in (syslog offers no clues btw, I've been 
rootkitted after all :-( Any suggestions other than 
format/reinstall/tripwire?

-- 
Kilian Hagemann

Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601181556.33030.hagemann1>