From owner-freebsd-security@FreeBSD.ORG Fri Nov 26 14:24:13 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A944E106566C for ; Fri, 26 Nov 2010 14:24:13 +0000 (UTC) (envelope-from n.knight@stormunix.co.uk) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 676DB8FC14 for ; Fri, 26 Nov 2010 14:24:13 +0000 (UTC) Received: by qwg8 with SMTP id 8so1199538qwg.13 for ; Fri, 26 Nov 2010 06:24:12 -0800 (PST) MIME-Version: 1.0 Received: by 10.229.81.20 with SMTP id v20mr1795288qck.210.1290779758283; Fri, 26 Nov 2010 05:55:58 -0800 (PST) Sender: n.knight@stormunix.co.uk Received: by 10.229.217.2 with HTTP; Fri, 26 Nov 2010 05:55:58 -0800 (PST) Date: Fri, 26 Nov 2010 13:55:58 +0000 X-Google-Sender-Auth: rIWBVetATHGoPtecJgXLuNuTiKY Message-ID: From: Nick Knight To: freebsd-security@freebsd.org X-Mailman-Approved-At: Fri, 26 Nov 2010 16:06:36 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ssh binary modified X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nick@stormunix.co.uk List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Nov 2010 14:24:13 -0000 Hi, I've just found a problem with ssh on one of my servers, I'm hoping someone can give me some insight into what's caused the problem. When I try to use scp or ftp I get the following error: command-line: line 0: Bad configuration option: PermitLocalCommand lost connection I've just noticed my /usr/bin/ssh binary was modified two days ago although no updates have been run. I've noticed a strange new file: /etc/ssh/.sshd_auth This has file permission 755 and contained two entries of my plain text login: myuser:clearpassword myuser:clearpassword FreeBSD hostname 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 OpenSSH_5.2p1 FreeBSD-20090522, SSH protocols 1.5/2.0, OpenSSL 0x009080bf MD5 (/usr/bin/ssh) = 39d889822b743a86ab150e12692c85b7 Has anyone seen the file /etc/ssh/.sshd_auth before? Cheers -- Regards Nick Knight From owner-freebsd-security@FreeBSD.ORG Fri Nov 26 16:49:11 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79667106564A for ; Fri, 26 Nov 2010 16:49:11 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 3AC8D8FC15 for ; Fri, 26 Nov 2010 16:49:10 +0000 (UTC) Received: from critter.freebsd.dk (critter.freebsd.dk [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id DFEA53F5DD; Fri, 26 Nov 2010 16:33:29 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.4/8.14.4) with ESMTP id oAQGXSLv064847; Fri, 26 Nov 2010 16:33:29 GMT (envelope-from phk@critter.freebsd.dk) To: nick@stormunix.co.uk From: "Poul-Henning Kamp" In-Reply-To: Your message of "Fri, 26 Nov 2010 13:55:58 GMT." Date: Fri, 26 Nov 2010 16:33:28 +0000 Message-ID: <64846.1290789208@critter.freebsd.dk> Sender: phk@critter.freebsd.dk Cc: freebsd-security@freebsd.org Subject: Re: ssh binary modified X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Nov 2010 16:49:11 -0000 In message , Nick Knight writes: >I've just found a problem with ssh on one of my servers, I'm hoping someone >can give me some insight into what's caused the problem. You've been hacked. Reinstall from trusted media. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Sat Nov 27 13:05:46 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DCF3106566C for ; Sat, 27 Nov 2010 13:05:46 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id E0C518FC15 for ; Sat, 27 Nov 2010 13:05:45 +0000 (UTC) Received: from localhost (c-67-171-66-177.hsd1.pa.comcast.net [67.171.66.177]) (AUTH: PLAIN wmoran, SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Sat, 27 Nov 2010 07:55:42 -0500 id 0003F407.000000004CF0FFCE.00003B2F Date: Sat, 27 Nov 2010 07:55:43 -0500 From: Bill Moran To: nick@stormunix.co.uk Message-Id: <20101127075543.f4539aec.wmoran@collaborativefusion.com> In-Reply-To: References: Organization: Collaborative Fusion X-Mailer: Sylpheed 3.0.2 (GTK+ 2.18.7; i386-portbld-freebsd8.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: ssh binary modified X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Nov 2010 13:05:46 -0000 On 11/26/10 8:55:58 AM, Nick Knight wrote: > Hi, > > I've just found a problem with ssh on one of my servers, I'm hoping someone > can give me some insight into what's caused the problem. > > When I try to use scp or ftp I get the following error: > command-line: line 0: Bad configuration option: PermitLocalCommand > lost connection > > I've just noticed my /usr/bin/ssh binary was modified two days ago although > no updates have been run. > > I've noticed a strange new file: /etc/ssh/.sshd_auth > This has file permission 755 and contained two entries of my plain text > login: > myuser:clearpassword > myuser:clearpassword > > FreeBSD hostname 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC > 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > > OpenSSH_5.2p1 FreeBSD-20090522, SSH protocols 1.5/2.0, OpenSSL 0x009080bf > > MD5 (/usr/bin/ssh) = 39d889822b743a86ab150e12692c85b7 > > Has anyone seen the file /etc/ssh/.sshd_auth before? I don't have that file on any of my servers, and it's not referenced in any of the documentation. I would assume that your server has been compromised, along with your password. I would get that server offline and do either forensics or a clean rebuild (depending on your situation) If I were you, I would also assume that any accounts that share that password are also compromised. Change the password everywhere, and if you use it for online banking or other financial stuff, notify your bank and have credit or debit cards reissued. Good luck, Bill From owner-freebsd-security@FreeBSD.ORG Sat Nov 27 13:29:55 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A39C61065694 for ; Sat, 27 Nov 2010 13:29:55 +0000 (UTC) (envelope-from jan.muenther@nruns.com) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 35C3C8FC12 for ; Sat, 27 Nov 2010 13:29:54 +0000 (UTC) Received: from [192.168.2.102] (pD4B9EF09.dip.t-dialin.net [212.185.239.9]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0MUTUB-1OwJaf3qi3-00RIN3; Sat, 27 Nov 2010 14:17:19 +0100 Message-ID: <4CF104DD.1050405@nruns.com> Date: Sat, 27 Nov 2010 14:17:17 +0100 From: Jan Muenther User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20101127075543.f4539aec.wmoran@collaborativefusion.com> In-Reply-To: <20101127075543.f4539aec.wmoran@collaborativefusion.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:UWcn53l7/8MzXzjMQU6heysYwdX71Hkzowz8dT9Z46x tkGgHr51CN9Ne7T0bnjbAYS/iVAzgakGKmbMAG2gCeI/FwcCPC F/UfHyylPvfVFHRW6hXrOTsGZR5Ii8s5Q9d9F0zhx294JGuizR 9KBL3R3AfhdP7RpCKeowqGOBLQk4Te0gEs6yQ/NkFkQ4bMrGxG aruY1rE56btJLoflEUSJFbw8mowmrcItGHL9TLzyEA= Subject: Re: ssh binary modified X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Nov 2010 13:29:55 -0000 Hello, yeah, that box has been taken over. Now, before you nuke it and reinstall from some trusted media, I'd try and give finding out what exactly happened a shot. My point is that if they got in through e.g. a flaw in a custom web app, just newly setting up the machine and resetting the passwords is not going to make it all go away. You don't have to be a forensics expert to at least have a long good look at the log files. Cheers, Jan From owner-freebsd-security@FreeBSD.ORG Sat Nov 27 13:32:09 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E373106566C for ; Sat, 27 Nov 2010 13:32:09 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id C5F9B8FC1D for ; Sat, 27 Nov 2010 13:32:08 +0000 (UTC) Received: from critter.freebsd.dk (critter.freebsd.dk [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id B63BE3F61A; Sat, 27 Nov 2010 13:32:07 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.4/8.14.4) with ESMTP id oARDW7Jj001875; Sat, 27 Nov 2010 13:32:07 GMT (envelope-from phk@critter.freebsd.dk) To: Jan Muenther From: "Poul-Henning Kamp" In-Reply-To: Your message of "Sat, 27 Nov 2010 14:17:17 +0100." <4CF104DD.1050405@nruns.com> Date: Sat, 27 Nov 2010 13:32:07 +0000 Message-ID: <1874.1290864727@critter.freebsd.dk> Sender: phk@critter.freebsd.dk Cc: freebsd-security@freebsd.org Subject: Re: ssh binary modified X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Nov 2010 13:32:09 -0000 In message <4CF104DD.1050405@nruns.com>, Jan Muenther writes: >yeah, that box has been taken over. Now, before you nuke it and >reinstall from some trusted media, I'd try and give finding out what >exactly happened a shot. My point is that if they got in through e.g. a >flaw in a custom web app, just newly setting up the machine and >resetting the passwords is not going to make it all go away. And you should seriously consider putting everything you can into jails, to contain any future damage. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.