Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jul 1998 19:06:24 -0500 (CDT)
From:      "Lee Crites (ASC)" <leec@adam.adonai.net>
To:        Drew Derbyshire <ahd@kew.com>
Cc:        security@FreeBSD.ORG
Subject:   Re: hacked and don't know why
Message-ID:  <Pine.BSF.3.96.980721185446.5721A-100000@adam.adonai.net>
In-Reply-To: <199807212051.QAA05632@kendra.ne.mediaone.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 21 Jul 1998, Drew Derbyshire wrote:

=>My firewall was hacked last night and I don't know how.
=>
=>Only damage is the complete loss of /dev, /bin, and /var/log
=>directories.  The system was more or less up when I checked it
=>this morning, but I had to crash it and rebuild/reload the
=>affected directories using the 2.2.26 live file system CD-ROM. 

This is almost a frightening message.  We were hacked like this
two weeks ago.  How frequently are FreeBSD systems getting hacked
into?  Is there even anyone who has stats on this kind of thing?

In my case, the bin directories (/bin, /sbin, /usr/bin,
/usr/sbin, etc) were still there, just that every program was
replaced with the exact same "dummy" program.  All were, as I
recall, around 180k (exact same size with cmp showing no
differences in any of them.  The funny thing is that ls did what
ls was supposed to do, ps did what it was supposed to do, etc,
even though they were the same size and cmp'd as identicle. 

The biggest problem we had was this happened at the same time I
was involved in an accident which left me with a fairly severe
concussion.  I knew I was too far gone to really figure out what
was happening, so I just unplugged my router and rebuilt from
scratch.  (note: this was a realistic two day job which stretched
to nearly 10 days as I recovered from the effects of the accident
-- not something I'd recommend to anyone else)

=>firewall filtering is enabled, major services allowed include

In my case, there was no firewall.

=>Suggestions to prevent a repeat?  I'm going to build a new
=>system from scratch to insure clean binaries and the like, but
=>I don't know what hole I left open ... 

Ditto for the request for suggestions.  Is there a FreeBSD
related checklist for security issues like this?

Lee

  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                       Lee Crites
       Adonai Services Company, Round Rock, Texas
  leec@adonai.net           http://www.adonai.net/~leec
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980721185446.5721A-100000>