From owner-freebsd-security Tue Dec 10 06:43:39 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id GAA05416 for security-outgoing; Tue, 10 Dec 1996 06:43:39 -0800 (PST) Received: from ux9.cso.uiuc.edu (igor@ux9.cso.uiuc.edu [128.174.5.39]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id GAA05392 for ; Tue, 10 Dec 1996 06:43:34 -0800 (PST) Received: (from igor@localhost) by ux9.cso.uiuc.edu (8.8.4/8.8.4) id IAA01109; Tue, 10 Dec 1996 08:43:31 -0600 (CST) Date: Tue, 10 Dec 1996 08:43:31 -0600 (CST) From: igor vladimirovich roshchin Message-Id: <199612101443.IAA01109@ux9.cso.uiuc.edu> To: tabo@io.org Subject: Re: URGENT: Packet sniffer found on my system Cc: freebsd-security@FreeBSD.ORG Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hi, powerfull All! I don't know how relevant this is, but it might give you some clue. On my FreeBSD box I've recently seen that somebody (different people, from different hosts (from different countries)) attacked, using smth. similar, if not exactly "attack of service denial" This happened both with "standard" ftpd and wu-ftpd. Attacker was just opening multiple connections until the limit of opened files was reached. THen, I am not sure what happened, I hope he was not able to get anything from that, but not completely sure. Since syslogd doesn't log ftpd messages separately, I'd advise you to use !ftpd *.* /var/log/ftp.log or something similar. This might help you to be sure you are not getting the abuser through ftp. You can also set logging of all the commands been issued , using /usr/local/etc/ftpaccess. Try also log your activity to another host as well (to prevent erasing logfiles by the attacker): e.g.: *.notice;auth.* @very.secured.host (I am talking about /etc/syslog.conf) BTW, you are using find to find these or those files (and ls), check those binaries, they could've been "patched". Have you also checked binaries which are run from crontab, like /sbin/adjkerntz^I-a and /usr/libexec/atrun making sure they are not "patched" ? Check also libc.a and ld.so, making sure they are not rewritten. BTW, Although this is not crucial, but you seem to be using sendmail from the original package, probably without FreeBSD patches. (With FreeBSD patches you would not get some of the hardlinks to sendmail; the would be just 3 files) I think you don't really need the "hoststat" program, do you ? You are using screen. I haven't been following the evolution of this package (just haven't heard about it recently), but remember that there were some security issues regarding it. May be somebody can confirm or reject this possibility. Sorry if I wrote something too obvious or lame, but I just tried to think about other possibilities.... Igor