Date: Sat, 10 May 2003 15:29:58 -0500 From: Peter Elsner <peter@servplex.com> To: freebsd-security@FreeBSD.ORG Subject: Hacked? (UPDATE) Message-ID: <5.2.0.9.2.20030510151347.017a2f48@mail.servplex.com>
next in thread | raw e-mail | index | archive | help
Update, for those that want to know... The attacker used a worm or bot that tried hundreds (if not thousands) of connections through SMBD. (Samba). I was running 2.2.7. I noticed the attempts for a week, but the log file always showed "access denied" so I wasn't too worried about it. Well, obviously, one of those attempts got through... At this time, the worm (or bot) modified the modification date with a program called systemf (in the /usr/bin directory). This prevented me from listing last modification dates (all dates in ls were replaced with the letter f ). Then he created an /etc/rc.local file and added an entry to start inetd and a trojaned sshd (on port 44444). I put everything in /usr/local/etc/rc.d so I didn't originally have an /etc/rc.local. netstat (in /usr/bin) was renamed to netstats and a new netstat (much smaller in size) was placed in the /usr/bin directory. I'm not really sure what this new netstat did. I believe only the /usr/bin directory and /usr/sbin directory were affected (after doing quite a bit of research), plus the 2 hidden directories that were created and the /etc/rc.local file. The trojaned sshd was stored in /dev/fd/.99 or in /usr/lib/.fx (not sure which). I suspect that the passwd and master.passwd files were then emailed or ftp'd to the hacker for later inspection. This way, even if I close the Samba hole (which I've done), the trojaned sshd that he/she put in place would allow the attacker to get back in using any of the passwords in the passwd/master.passwd list. Anyway, Thanks to all who answered my request for help and more info (both on this list and privately). I have completely fdisk'ed the drive and re-installed. I'm now restoring from last weeks master backup. Peter ---------------------------------------------------------------------------------------------------------- Peter Elsner <peter@servplex.com> Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.2.20030510151347.017a2f48>