From owner-freebsd-hackers Fri Aug 7 16:37:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA21002 for freebsd-hackers-outgoing; Fri, 7 Aug 1998 16:37:46 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from lariat.lariat.org ([206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA20991; Fri, 7 Aug 1998 16:37:41 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id RAA13808; Fri, 7 Aug 1998 17:37:21 -0600 (MDT) Message-Id: <199808072337.RAA13808@lariat.lariat.org> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Fri, 07 Aug 1998 15:17:43 -0600 To: Ollivier Robert , FreeBSD-security@FreeBSD.ORG From: Brett Glass Subject: Re: Does this mean we have another breakin? Cc: hackers@FreeBSD.ORG In-Reply-To: <19980807122035.A4145@keltia.freenix.fr> References: <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> <19980806131045.A28059@keltia.freenix.fr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG We have set up Tripwire, and are getting "Alarums and Excursions" (with apologies to old Will Shakespeare) from changed "last modification" dates on executables. Is this a bug or a break-in? I could not find anything about a bug anywhere in the GNATS database. When we encountered the changed files, we were sure we were being hacked by the same intruder who "owned" us via QPopper not long ago. That intruder installed several Trojans; perhaps as many as half a dozen. We dealt with that first break-in by wiping the disk, installing 2.2.7-RELEASE, bringing back all the e-mail and user data, forcing 250 users to change passwords, and having two people audit each one of our administrative Perl scripts and shell scripts. We also audited every configuration file that can specify that a program should be run, meaning everything from our customized sendmail.cf to rc.everything to /etc/crontab. That process took 4 people a full weekend (not counting the time it took to notify every single user) and took a mail server that serves 250 people down for a full day. Not to mention the cost of all of that pizza. ;-) We were about to do it AGAIN. Now we're holding out some hope that it's just a bug -- though perhaps the same one that's crashing us when we try to back up. In any event, I just received private e-mail stating that at least one person has encountered VM problems in -stable under heavy CPU loads when the swapper kicks in. According to the message, they cause corruption of file modification dates. Is this a known bug? If so, could it also be responsible for the spontaneous crashes we see when we pipe dump | gzip | ftp for backups? --Brett At 12:20 PM 8/7/98 +0200, Ollivier Robert wrote: >According to Just Another Perl Hacker: >> I assume that this spontaneous writebacks *could* occur not only to >> setuid(2)'d executables such as sendmail(8), but to arbitrary command >> as a file on the filesystem. > >Of course but unless you run Tripwire, the /etc/security script will detect >changes only on setuid/setgid ones. >-- >Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr >FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998 > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message