From owner-freebsd-security@FreeBSD.ORG Fri May 13 04:00:10 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56C1516A4D0 for ; Fri, 13 May 2005 04:00:10 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id C233843D86 for ; Fri, 13 May 2005 04:00:09 +0000 (GMT) (envelope-from d4rkstorm@gmail.com) Received: by rproxy.gmail.com with SMTP id i8so149237rne for ; Thu, 12 May 2005 21:00:09 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=I8kUvrKzepSFHDgseMg2304djPTIyxHp5AsH2Dm1q8KGbIxQxX27Qt2aaqGIBVutAcYgsGLSaI7On4e15kQ7FuFUXCVaXRNbyNBK9/2d1XN/RTXiLzaWGUjOvny+O3HIp5VhlsoK85XDnSYOF1m031Qj5seJBTzScjHz/wS3FeE= Received: by 10.38.208.18 with SMTP id f18mr567298rng; Thu, 12 May 2005 21:00:09 -0700 (PDT) Received: by 10.38.101.18 with HTTP; Thu, 12 May 2005 21:00:09 -0700 (PDT) Message-ID: <245f0df105051221002b33085a@mail.gmail.com> Date: Fri, 13 May 2005 14:00:09 +1000 From: "Drew B. [Security Expertise/Freelance Security research]." To: Matt Piechota In-Reply-To: <245f0df105051218514285cc49@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050512163806.98442.qmail@web20424.mail.yahoo.com> <20050512160348.J38870@acropolis.argolis.org> <245f0df105051218514285cc49@mail.gmail.com> cc: freebsd-security@freebsd.org Subject: Re: Do I have an infected init file? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Drew B. \[Security Expertise/Freelance Security research\]." List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 04:00:10 -0000 To Update on this, I did some quick checks for you, and now i ca give you a better runndown from an administrators p.o.v :: www.rootkit.nl/ this has helped me GREATLY thus far in removing 'kiddie pests' , although for an experienced unix malicious user, i assume it would maybe require more, however, i am against using such apps as F-prot 'secure' etc, that gives off the impression you are completely secure to the web, when infact,i could do many simple PoC in 5minnutes infront of any A/V company gladly,using public tools, and proove how easy it is to make an app hide from the actual scanner. Anyhow,the mentioned URL and file rkhunter,are not my property nor even had heard of them before I myself was compromised myself by an experienced unix kitter,however i am using the product and can definately say one thing,it will do alot more than pathetic a/v scanners made for profit.(Until im involved in making an a/v product, i will never back one) Now lets get to rootkit hunter config, I am going by the assumption that you coonfigure the apps conf file , to include MD5 hash checking, wich is one way most other rootkit revealing software is lacking,even this one by default is "off".I had turned mine on from day1 of usage. I have instaled v1.6.2, it keeps a regular .rkhunter.log in ~/. and its updater seems to operate fine with me on 3 machines tested today (Fri 13th May-2005) 5.2.1fBSD-Stable,5.3-fBSD-Stable,5.4-fBSD-RelENG. I see no reason not to use it, I am only offering additional advice with this on the MD5 checking section, and also, try perform tests using an older or un updated version, log it, then run it /rkhunter --update , rescan, you will surely find changes,well you will be a first if you do not. I have discovered on my sytsem,that even using the BSD Ports and pkg_add applications,i have been left with reports such as this,wich has left me extremely unhappy with the ports system,and/or handling of multiple packages,wich can pose as a potential major security risk (log details of what i mean exactly) :: - OpenSSL 0.9.7c [ Vulnerable = ] - OpenSSL 0.9.7e [ Unknown ] Now this is fromrunning rkhunter in simple mode, then updating, and finding i have previously 'unclean' and vulnerable parts still attached, sofar it has happeend with Bind and OpenSSH , OpenSSH was quite easy to adjust, although the OpenSSL is a completely new install, meaning that from when i Installed via CD to this system in particular (5.2.1), it automatically installed some features, now why were these not removed when they were updated by me manually in ports using updating, and making clean reinstalls,i do not understand. Especially to have comeup security advisories,(rkhunter runs a sec advisory checker,indeed handy),so should grab all BSD advisories and makesure you are NOT vuln to any,combined with the MD5 sig checking + most importantly now,an 'unkown' version of something, wich is the way most 'rootkits' seem to be injected. A vulnerability could not even ever showup in anything, if its say crafted specially,perhaps targetted at a specific sytem, and then patched up by an experienced 'rootkitter' (I know...what a great sounding job,"Hi im a r00tkitter!" but it may perhaps show a version of something you are no longer running, or have never infact ran, but was injected for usage after infection , (ie, a ttyshell or telnetD backdoor, or Bindshell), wich will then reveal somethng like Warning! otdated Bind8.0.2,Please check! , thus, you would know you do not run Bind,nor ever have, so it would atleast lead to the admin 'investigating'. Sample of what you would see, >>Your system contains some unknown version numbers. Please run Rootkit Hun= ter >>with the --update parameter etc. Ok well if anyone has ANY input or suggestions on anything I have said, like 'want evidence' etc, I have not a problem in supplying it, i wouldnt have joined this list otherwise. I just hope I am making people more aware that sometimes the simplest and oldest of tricks are re-used,and often those are the worst threats, but still a Vigilant admin who has some security morals (Ie: Updates theyre own server products), will always carry you through even the toughest of times. In regards to Linux and BSD 'hacking' and rootkitting I found while again doing research on a backdoor found on a SuSe box,simply by using very clear and specific targets in my searches,ie- i target a name,so if i get told THC rootkit,i will enter thc+rootkit+release (or download often works). It brought me across this, wich shows some products I have proof of being used in current 'kits' -> http://www.s0ftpj.org/en/tools.html This scared me when i looked, and still is, as i have discovered alot of sections of the code being written, is involved in recent property and email,even IP Hijack-massmail crime. I only wish i had the power to Investigate the people and online activities more,my resources are extremely limited,my donators are companies and isps, but they do not offer actual cash :) I try what i can and when something "p**es me off" , like having to wipe 4000000 emails due to firewall blocking them in (due to bodgy,kiddy-kits),i think i have good reason. I just hope Im reaching you guys, security is a really tough area for many people to comprehend exactly how deep the problem is now that it involves making money. -Sorry for such a large post,I will pre-comment on that: "Writing text needs time,writing short and easy to understand text needs more time". -inspired by a freebsd current researcher :-) -A quote on what you may find in your OWN searching: "You can have a handgun to protect yourself,or use it to rob a bank". -who knows but true! Regards, Drew B. On 5/13/05, Drew B. [Security Expertise/Freelance Security research]. wrote: > Hello, > I have used rootkit-hunter for Bsd, it can download MD5sums from > whitehat which contains 'current' sigs, not that this matters, it only > takes a good packagee,(ie file is encrypted, to bypass any rootkit > revealer etc) > However i do recommend rootkit-hunter, http://www.rootkit.nl ,it just > runs when needed, (/rkhunter -c, /rkhunter --update), and it does a > VERY thorough job, I recommend runing it without update forst,then > update it, you will no doubt find some multiple package installs, wich > seems to be a major problem with this, older package info staying in > root,after package is updated. > Hope this info is of any help, i can provide a detailed log of a > rootkithunter.log..just ask me to attach a copy. > Regards, > Drew B. >=20 > On 5/13/05, Matt Piechota wrote: > > On Thu, 12 May 2005, DH wrote: > > > > > I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & > > > 0.45 report that my /sbin/init file is infected. > > > > I should mention that 4.10-release is up to p13. You should really thi= nk > > about patching up to current. > > > > > It appears as though the egrep for "UPX" in the output of "strings" > > > triggers the infected notice. When I copy the init file from an > > > uninfected box to this one chkrootkit continues to report it as > > > infected. Is chkrootkit reading a copy of the /sbin/init file stored = in > > > active memory? If my machine is compromised, which rootkit is install= ed > > > / how can I find out which rootkit is installed? > > > > The easiest way to figure out if you are rooted is probably to download= or > > create a clean version of /sbin/init, and compare the two files. > > Creating might take some work, you'd have to install a clean 4.10, patc= h > > it to p2, and make world. > > > > -- > > Matt Piechota > > Key Available from pgp.mit.edu > > PGP Key fingerprint =3D FC90 4D65 2F8A 38E9 D1A8 FABB 7AE8 C194 5EC8 9= CAD > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.= org" > > >=20 > -- > ------------------------------------------ > Drew B. > /* Security researcher/expert,threat-focus,Freelance */ > ------------------------------------------ >=20 --=20 ------------------------------------------ Drew B. /* Security researcher/expert,threat-focus,Freelance */ ------------------------------------------