Date: Fri, 07 Aug 1998 15:17:43 -0600 From: Brett Glass <brett@lariat.org> To: Ollivier Robert <roberto@keltia.freenix.fr>, FreeBSD-security@FreeBSD.ORG Cc: hackers@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? Message-ID: <199808072337.RAA13808@lariat.lariat.org> In-Reply-To: <19980807122035.A4145@keltia.freenix.fr> References: <o1zqteasq.fsf@mew.gol.com> <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> <o90l2bshu.fsf@mew.gol.com> <19980806131045.A28059@keltia.freenix.fr> <o1zqteasq.fsf@mew.gol.com>
next in thread | previous in thread | raw e-mail | index | archive | help
We have set up Tripwire, and are getting "Alarums and Excursions" (with apologies to old Will Shakespeare) from changed "last modification" dates on executables. Is this a bug or a break-in? I could not find anything about a bug anywhere in the GNATS database. When we encountered the changed files, we were sure we were being hacked by the same intruder who "owned" us via QPopper not long ago. That intruder installed several Trojans; perhaps as many as half a dozen. We dealt with that first break-in by wiping the disk, installing 2.2.7-RELEASE, bringing back all the e-mail and user data, forcing 250 users to change passwords, and having two people audit each one of our administrative Perl scripts and shell scripts. We also audited every configuration file that can specify that a program should be run, meaning everything from our customized sendmail.cf to rc.everything to /etc/crontab. That process took 4 people a full weekend (not counting the time it took to notify every single user) and took a mail server that serves 250 people down for a full day. Not to mention the cost of all of that pizza. ;-) We were about to do it AGAIN. Now we're holding out some hope that it's just a bug -- though perhaps the same one that's crashing us when we try to back up. In any event, I just received private e-mail stating that at least one person has encountered VM problems in -stable under heavy CPU loads when the swapper kicks in. According to the message, they cause corruption of file modification dates. Is this a known bug? If so, could it also be responsible for the spontaneous crashes we see when we pipe dump | gzip | ftp for backups? --Brett At 12:20 PM 8/7/98 +0200, Ollivier Robert wrote: >According to Just Another Perl Hacker: >> I assume that this spontaneous writebacks *could* occur not only to >> setuid(2)'d executables such as sendmail(8), but to arbitrary command >> as a file on the filesystem. > >Of course but unless you run Tripwire, the /etc/security script will detect >changes only on setuid/setgid ones. >-- >Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr >FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998 > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808072337.RAA13808>