Date: Tue, 2 Oct 2001 18:12:50 +0000 (GMT) From: Jason <jason@jason-n3xt.org> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: questions@FreeBSD.ORG Subject: RE: I was rooted using telnet Message-ID: <Pine.BSF.4.21.0110021807320.29974-100000@jason-n3xt.org> In-Reply-To: <003301c14b21$7d8bc340$1401a8c0@tedm.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Umm.. no. If I was awake at the time I would have seen the telnetd daesome using 100% of the CPU. For them to keep accessing my box without running the buffer overflow script over and over they would have to have created themselves an account. The buffer overflow exploit takes a while to run, uses a lot of bandwidth and causes telnetd use noticiably more CPU resouces than normal. If they create themselves accounts then I would know it really fast several ways. Since this box is more or less a shell server, I pay very very close attention to whos connected and whats going on. Had I not been sleeping I would have noticed instantly and said "Hmm.. this isn't right." I do agree that once a box has been rooted it is not trustworthy. Which is why I have switched to a completely different box. :) ---- Jason jason@jason-n3xt.org On Tue, 2 Oct 2001, Ted Mittelstaedt wrote: > Hi Jason et all, > > I know it's a bit late to jump in here but let's be clear: > > a couple of days ago YOU DISCOVERED that you were rooted by someone using > a telnet exploit. > > I know it sounds like a tired old saw here folks but I'll repeat it again: > > Once a system has been root compromised it's completely untrustworthy unless > nuked and repaved, and anything restored to it is certified clean. THIS > INCLUDES > SOURCES OF ANYTHING YOU WERE WORKING ON!!! > > It's entirely possible that the crackers rooted you months before you > discovered > it and were sufficiently clever about it that they cleaned up after themselves > so that when they finally got careless and you discovered them, that you only > THOUGHT that they had rooted you a few days ago. Once I get root on your > machine I can alter anything I want and make you believe anything I want, if > I'm sufficiently clever about doing it. > > Even the little baby wannabe crackers learn in cracking 101 that the very > first thing to do once you got a system compromised is to install a plethora > of back doors. Once that happens you can CVSUP and buildworld until the > cows come home and it's not going to guarentee to kill all the trojans in > the system. The crackers can easily install back doors in your source tree > as well as the binaries. > > Face the facts - you got cracked by someone because you overlooked something > and > made a mistake. Understand that this isn't a reflection on you - everyone > makes > mistakes and the cracker was probably running some script that he was too > stupid > to understand it's functionality or how to modify it anyway. But, your > deluding > yourself if you think that you can somehow "clean up" you system by going > through > it and recompiling this and that. Only a complete remove and reinstall is > going to guarentee that you have a system clean of any trojans. I know that > people whine and cry about it because nobody likes backing up and the theory > is somehow you can do an overwrite install that is going to preserve all your > settings and such without the bother of typing them all in again. But, you > have to own up that some mistakes that you make are going to have consequences > that are going to be very costly, without quick fixes. > > Ted Mittelstaedt tedm@toybox.placo.com > Author of: The FreeBSD Corporate Networker's Guide > Book website: http://www.freebsd-corp-net-guide.com > > > >-----Original Message----- > >From: owner-freebsd-questions@FreeBSD.ORG > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jason > >Sent: Saturday, September 29, 2001 2:14 PM > >To: questions@FreeBSD.ORG > >Subject: I was rooted using telnet > > > > > >Hello: > > > >A couple of days ago I was rooted by someone using a telnet exploit. I > >have been cvsup'ing my sources regularly and was using 4.4-RC at the > >time. I've since moved to 4.4-STABLE. It looks like they used some kind > >of script. I still have it if anyone wants it. Since then I have turned > >off telnet in inetd and blocked the port with a firewall. > > > >Anyone have any ideas on how a person could do this? I looks like this > >script just tries to move a lot of data for a long period of time. > > > >--- > >Jason > >jason@jason-n3xt.org > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0110021807320.29974-100000>