From owner-freebsd-questions Mon Dec 18 13: 9:20 2000 From owner-freebsd-questions@FreeBSD.ORG Mon Dec 18 13:09:16 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from cmr2.ash.ops.us.uu.net (cmr2.ash.ops.us.uu.net [198.5.241.40]) by hub.freebsd.org (Postfix) with ESMTP id 8248337B402 for ; Mon, 18 Dec 2000 13:09:15 -0800 (PST) Received: from imr3.ash.ops.us.uu.net by cmr2.ash.ops.us.uu.net with ESMTP (peer crosschecked as: imr3.ash.ops.us.uu.net [153.39.43.47]) id QQjudo03942; Mon, 18 Dec 2000 21:09:09 GMT Received: from sysenglt112 by imr3.ash.ops.us.uu.net with SMTP (peer crosschecked as: ippool144-215.corp.us.uu.net [153.39.144.215]) id QQjudo13949; Mon, 18 Dec 2000 21:08:40 GMT Reply-To: From: "Raymond Hicks" To: "'Jonathan Fosburgh'" , "'Tim McMillen'" Cc: "'Gerald T. Freymann'" , "'Questions'" Subject: RE: Hacker history file - OUCH Date: Mon, 18 Dec 2000 16:11:29 -0500 Message-ID: <003e01c06937$17914cd0$d7902799@sysenglt112> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <3A3E7AC9.40306@mail.mdanderson.org> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is not good information.. the best thing to do is NOT to shut down the machine.. you may lose vital info if you have in fact been rooted.. you should however remove your machine from the network... and plug it in to another blank ethernet hub so as not to fill your logs with interface down error messages.. To postmortem a box is a complex process because you can not be sure that you have not had any command replacements and rootkits applied to your box... try to check the integrity of your commands and last change date.. as well as your $path. If needed replace the commands on your box to be sure that everything is in fact working correctly.. try getting lsof or similar proggy like fstat to check files and processes... you will want to see if there are any other back doors on your machine... comb your logs and see what you can find there.. hope this gets you started... lates http://bsdvault.net -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jonathan Fosburgh Sent: Monday, December 18, 2000 4:00 PM To: Tim McMillen Cc: Gerald T. Freymann; Questions Subject: Re: Hacker history file - OUCH Tim McMillen wrote: > > Do you know for sure it was an intruder? Or was it just one of > your users? either way that doesn't look good. I'm no security expert, > but the programs they compiled and ran could easily be backdoors to get in > easily the next time. It's hard (for me) to tell how bad it is without > knowing whether they were successful in getting root priveledges. In the > history file we don't see the output of the command. Nothing he did > afterwards seems to require root priveledges, but if he had them then > those programs could easily be backdoors. I would consider the box > compromised. Is it still in use? The best way to get the most > information about an attack is to shutdown and halt the machine ASAP. > Then mount everything read only (perhaps on another machine. Then look > araound. That way you won't overwrite possible clues. Any disk access > after the intruder is there can overwrite that, and that is bad for > evidence. > You may want to contact the administrators at the sites he ftp'd > to to alert them and see if they can tell what those files were that he > downloaded. > > Tim The results of the su ought to be in /var/log/messages. Especially the one to toor. You should either see a success or failure message. Of course, he can only su to toor if the user he was in as is in group wheel. -- Jonathan Fosburgh Open Systems Communications and Computer Services UT MD Anderson Cancer Center Houston, TX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message