From owner-freebsd-security@FreeBSD.ORG Sat May 10 13:30:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5833437B401 for ; Sat, 10 May 2003 13:30:06 -0700 (PDT) Received: from spxgate.servplex.com (ip66-105-58-82.z58-105-66.customer.algx.net [66.105.58.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71AA043FE3 for ; Sat, 10 May 2003 13:30:00 -0700 (PDT) (envelope-from peter@servplex.com) Received: from peter.servplex.com ([192.168.0.10]) by spxgate.servplex.com (8.12.8/8.12.6) with ESMTP id h4AKesIM010882 for ; Sat, 10 May 2003 15:40:56 -0500 (CDT) (envelope-from peter@servplex.com) Message-Id: <5.2.0.9.2.20030510151347.017a2f48@mail.servplex.com> X-Sender: peter@mail.servplex.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Sat, 10 May 2003 15:29:58 -0500 To: freebsd-security@FreeBSD.ORG From: Peter Elsner Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Hacked? (UPDATE) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 20:30:06 -0000 Update, for those that want to know... The attacker used a worm or bot that tried hundreds (if not thousands) of connections through SMBD. (Samba). I was running 2.2.7. I noticed the attempts for a week, but the log file always showed "access denied" so I wasn't too worried about it. Well, obviously, one of those attempts got through... At this time, the worm (or bot) modified the modification date with a program called systemf (in the /usr/bin directory). This prevented me from listing last modification dates (all dates in ls were replaced with the letter f ). Then he created an /etc/rc.local file and added an entry to start inetd and a trojaned sshd (on port 44444). I put everything in /usr/local/etc/rc.d so I didn't originally have an /etc/rc.local. netstat (in /usr/bin) was renamed to netstats and a new netstat (much smaller in size) was placed in the /usr/bin directory. I'm not really sure what this new netstat did. I believe only the /usr/bin directory and /usr/sbin directory were affected (after doing quite a bit of research), plus the 2 hidden directories that were created and the /etc/rc.local file. The trojaned sshd was stored in /dev/fd/.99 or in /usr/lib/.fx (not sure which). I suspect that the passwd and master.passwd files were then emailed or ftp'd to the hacker for later inspection. This way, even if I close the Samba hole (which I've done), the trojaned sshd that he/she put in place would allow the attacker to get back in using any of the passwords in the passwd/master.passwd list. Anyway, Thanks to all who answered my request for help and more info (both on this list and privately). I have completely fdisk'ed the drive and re-installed. I'm now restoring from last weeks master backup. Peter ---------------------------------------------------------------------------------------------------------- Peter Elsner Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE.