Date: Sun, 12 Aug 2001 22:11:34 +0200 (CEST) From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: Matthew Sundling <sundlm@rpi.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: security check output: questionable setuid diffs help? Message-ID: <Pine.BSF.4.21.0108121930441.516-100000@lhotse.zaraska.dhs.org> In-Reply-To: <Pine.BSF.4.10.10108121043240.82545-100000@monica.cs.rpi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 12 Aug 2001, Matthew Sundling wrote: > I am new to the land of maintaining and securing my own unix-like > box, and so I have been presented with all the new problems > (interesting learning experiences?) that lie therein. Welcome aboard. Before we start, you didn't specify what is the purpose of your workstation. Is this a personal workstation, a server, a router? These different configurations require somewhat different approach. Reading your mail I guessed this is something like a personal workstation. > I just started reading/following online security related websites > on how to secure my machine yesturday (before yesturday my > machine was running at securelevel=-1, with finger/telnet/ftp all > still active in the default manner), and curiously messages > appeared in my daily security check emails today (pasted below). You didn't get any of these emails earlier? They're automatically gebnerated each night. > Please note the change in time stamp. If I am correct the only change is moving timestamp exactly four hours. Haven't you changed your time zone recently? IMHO this is not a pattern I'd expect in "typical" backdooring -- too many files, no other changes seen, although many weird things have been seen. <grin> > I would also point out the > fact that I started logging TCP/UDP connection attempts > yesturday, and it looked like several (~7) machines were port > scanning. Kiddiez looking for another victim. This is widely seen nowadays. > Also, my ISP is a rather open cable modem network. Nice place to look for a target. > I did remove all services from the inetd, > though... A step in right direction. Do netstat -atn and look what is else listening -- you may still have standalone (=not inetd-controlled) services. > Also, the header of the daily security log included: > > To: undisclosed-recipients:; Mine look the same. > Is this normal? I ask because I have no 'original' logs to > compare the header against, so I can't tell if this is normal. I > Checked my crontab,/etc/periodic/* stuff and it _seems_ like root > is the only recipient, but I can't really tell. If you're interested a look at /var/log/maillog should tell you who it was also sent to. > Any suggestions? Has my machine been penetrated? Any advice? Although I can't see any direct evidence in your logs, the possibility of intrusion cannot be ruled out. Specifically, it seems to me you've been running insecure setup with vulnerable telnetd, so I'd consider this a risky situation. I'd recommend taking following steps: 1. [HIGHLY RECOMMENDED] If possible, backing all data and doing a reinstall. I'd recommend upgrade to newer version, specifically RELENG_4_3 (this is 4.3-RELEASE with security fixes) or 4.3-STABLE (a.k.a. 4.4-PRERELEASE). 2. [RECOMMENED] Set up a firewall. Stock /etc/rc.firewall seems decent for begginning, edit "CLIENT" section to put you IP etc., and comment out "incoming email" rule, and enable firewalling in /etc/rc.conf. This will make your machine inaccessible from outside. If you want to provide any services to the outside world you will have to "loosen" this setup. 3. [USEFUL] Once you get clean system, set up an intrusion detection tool such as aide or tripwire. This will let you know if any of your files were modified (it checks not only for changed size/timestamp/permissions but also contents of the file) Good luck. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0108121930441.516-100000>