From owner-freebsd-stable@FreeBSD.ORG Thu Dec 28 23:41:14 2006 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7C31D16A40F for ; Thu, 28 Dec 2006 23:41:14 +0000 (UTC) (envelope-from bsd@lordcow.org) Received: from smtp2.uct.ac.za (smtp2.uct.ac.za [137.158.128.184]) by mx1.freebsd.org (Postfix) with ESMTP id 1EF5713C470 for ; Thu, 28 Dec 2006 23:41:14 +0000 (UTC) (envelope-from bsd@lordcow.org) Received: from [137.158.128.3] (helo=mail.uct.ac.za) by smtp2.uct.ac.za with esmtp (Exim 4.30; FreeBSD) id 1H04QG-00062n-I4 for stable@freebsd.org; Fri, 29 Dec 2006 01:12:28 +0200 Received: from lhc.phy.uct.ac.za ([137.158.37.93]) by mail.uct.ac.za with esmtp (Exim 4.44 (FreeBSD)) id 1H04QA-000Hh9-TU for stable@freebsd.org; Fri, 29 Dec 2006 01:12:22 +0200 Received: from lordcow by lhc.phy.uct.ac.za with local (Exim 4.63) (envelope-from ) id 1H04QE-0004Y8-Hg for stable@freebsd.org; Fri, 29 Dec 2006 01:12:26 +0200 Date: Fri, 29 Dec 2006 01:12:26 +0200 From: gareth To: stable@freebsd.org Message-ID: <20061228231226.GA16587@lordcow.org> Mail-Followup-To: stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.13 (2006-08-11) Cc: Subject: system breach X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Dec 2006 23:41:14 -0000 hey guys, my server rebooted a few days ago, and while i was looking around for possible reasons (none came up, which's disconcerting in itself) i found this suspicious directory: $ ls -l /tmp/download total 44 drwxr-xr-x 4 root wheel 512 Oct 23 16:28 Archive_Tar-1.3.1 drwxr-xr-x 3 root wheel 512 Oct 23 16:28 Console_Getopt-1.2 drwxr-xr-x 3 root wheel 512 Oct 23 16:28 XML_RPC-1.5.0 -rw-r--r-- 1 root wheel 15433 Jul 12 02:09 package.xml -rw-r--r-- 1 root wheel 22193 Jul 12 02:09 package2.xml the subdirs contain a bunch've .php files, and the xml files are info about version updates of PEAR'S "XML-RPC for PHP". they're owned by root (only i have the passwd) so it wasn't made by a local user, and i assume it wasn't made by portupgrade or something like that? so, i've got no idea how that dir got there, i'm guessing via some web exploit that i still need to look into, and /tmp is mounted 'exec' for some legit processes to function, can't remember which, so it's possible they were able to upload something and run it. chkrootkit which i've only just installed seems clear. anyway, i'm trying to figure out when this happened to have something to go on, and i don't understand the stat command, for example: $ stat /tmp/download/package2.xml 60 49356 -rw-r--r-- 1 root wheel 198776 22193 "Dec 28 04:03:50 2006" "Jul 12 02:09:14 2006" "Oct 23 16:28:28 2006" "Jul 12 02:09:14 2006" 4096 44 0 /tmp/download/package2.xml taking hints from 'stat -x' and 'stat -s' i gather this means: access time = Dec 28 04:03:50 2006 modify time = Jul 12 02:09:14 2006 change time = Oct 23 16:28:28 2006 birth time = Jul 12 02:09:14 2006 now how much of these dates are local or carried over from the source system, since my system was created at 08:00 on 21 Oct 2006 (ie. the Jul dates don't make sense)? (also what's the difference between modify and change time?) essentially is there a way i can tell when the files were put there? this's the directory's info too: $ stat /tmp/download 60 49346 drwxr-xr-x 5 root wheel 196642 512 "Dec 29 00:53:16 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" 4096 4 0 /tmp/download ps. out've interest: this's the only suspicious thing in the logs i could find: Oct 23 00:31:42 lordcow kernel: pid 48464 (conftest), uid 0: exited on signal 12 (core dumped) Oct 23 01:19:26 lordcow kernel: pid 17512 (conftest), uid 0: exited on signal 12 (core dumped) though from google it seems it could be an innocent apache thing. also around the 23rd or 24th of Oct i started taking md5sums of all the files in the bin and lib directories, and they haven't changed without my knowledge since then. course that doesn't help if the breach was in the 2 odd days before this and after the system was created. also, snort hasn't reported anything overly suspicious, and all packages are kept up to date.