Date: Wed, 14 Nov 2001 09:58:44 -0500 (EST) From: Chris Thomas <resopmok@gramsc1.dyndns.org> To: Stefan Probst <stefan.probst@opticom.v-nam.net> Cc: freebsd-security@FreeBSD.ORG, Rob Hurle <rob@coombs.anu.edu.au> Subject: Re: AdoreWorm Message-ID: <Pine.BSF.4.40.0111140950260.21241-100000@gramsc1.dyndns.org> In-Reply-To: <5.1.0.14.2.20011114183520.01e71d20@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help
As other people have suggested numerous times on this list, do not use telnetd! Telnet uses plain text IP packets, meaning _anything_ you type can be read by _anyone_ sniffing packets along the route or at certain machines. If you manage your machine remotely, this means your root password, user account passwords and other sensitive information which can lead to this sort of attack happening again. Please, use ssh, as it encrypts your traffic so that it is unreadable to the human eye, keeping your passwords and activity hidden. Also, be sure to disable login available as root, as this is just not a good idea. In short, whether or not the version of telnetd you are using is patched, telnet is insecure, deprecated and lastly insecure. There is no reason I can think of to use it on any modern server, because ssh clients are widely and freely available for every platform. To end this message out, do not use telnetd! -chris On Wed, 14 Nov 2001, Stefan Probst wrote: > Hi, > > some hours later, lots of grey hair more, but feeling more safe now.... > > As it looks now, somebody in Romania used most probably the telnetd hole > (because there were no other unused services running, and it would be hard > to believe, that somebody on a dial-up line in Romania can sniff telnet > passwords, which usually go from Vietnam via Hongkong to the EastCost) and > got somehow root access. They installed then this AdoreBSD. Luckily, as it > looks right now (I might be wrong), they didn't do anything else - at least > nothing major. > > They furthermore installed from http://www.psychoid.lam3rz.de the psyBNC, > which is obviously kind of an "special" IRC relay ??? > > This psyBNC left a logfile, and I have their ISP now: warpnet.ro, including > some IP numbers, which they used. Not sure, what I should do with that. > > This psyBNC is installed in a directory, with a single space as the name: > /root/ /bsd.tgz > /root/ /bsd/scan-a > /root/ /bsd/telnet > /root/ /bsd/statdx2.tgz > /root/ /bsd/statdx2/luckgo > /root/ /bsd/statdx2/luckscan-a > /root/ /bsd/statdx2/luckstatdx > /root/ /bsd/statdx2/wu > /root/ /psybnc/ > > > Status as of now: > - I deleted /bin/xterm (since I saw that entry in rc.conf) > - I replaced ps with a version, which I downloaded from another server > Luckily, that worked, and I could see the processes again. > - I killed all ./cons.saver processes > - I killed all /bin/xterm processes > - I killed all ./psybnc processes > - To apply the patch as written on the FreeBSD site, didn't work, > because my /usr/src/ directory was empty. > - I tried ssh (which is ok now) to make sure, that I am not locked out, > in case I crash telnetd. > - I replaced telnetd with a patched version which I downloaded > from the other server. > Still can log on. > - I restarted inetd successfully. > - I renamed .fx/cons.saver to be sure, that this is not restarted again > - I changed the root password (not sure, whether this was necessary) > - I replaced rc (I am really lucky, that this is one of the few files, > which I (nosy) downloaded some time ago, so I have a clean copy here) > and rc.conf > - I renamed that /root/ / to something different - to be sure, > that the files in there cannot be started by an unknown process again. > > Outstanding > - find more remains. > - the /var/log/... files are still not written, i.e. size still "0". ??? > > Open Questions: > - I know, that > * ps, telnetd have been replaced > * /var/log/messages has been renamed to "menssages" > * rc, rc.conf have been edited > * processes were started: cons.saver, xterm, psybnc > What more happened / needs to be re-installed/deleted/killed...? > - there is a short file "/etc/syslog.conf.lock" what is this? > Delete it? > > > Thanks to everybody, > Stefan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.40.0111140950260.21241-100000>