From owner-freebsd-stable  Thu Jul 30 12:43:58 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA07241
          for freebsd-stable-outgoing; Thu, 30 Jul 1998 12:43:58 -0700 (PDT)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA07234
          for <freebsd-stable@FreeBSD.ORG>; Thu, 30 Jul 1998 12:43:55 -0700 (PDT)
          (envelope-from mike@dingo.cdrom.com)
Received: from dingo.cdrom.com (localhost [127.0.0.1])
	by dingo.cdrom.com (8.8.8/8.8.5) with ESMTP id MAA00458;
	Thu, 30 Jul 1998 12:42:42 -0700 (PDT)
Message-Id: <199807301942.MAA00458@dingo.cdrom.com>
X-Mailer: exmh version 2.0zeta 7/24/97
To: "Bob Boone" <bboone@whro.org>
cc: freebsd-stable@FreeBSD.ORG
Subject: Re: Security Issue -- 
In-reply-to: Your message of "Thu, 30 Jul 1998 15:30:42 EDT."
             <002e01bdbbf0$8e63eb20$ef63a8c0@wizard.whro.org> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 30 Jul 1998 12:42:42 -0700
From: Mike Smith <mike@smith.net.au>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> Not sure if this is the "right" place for this, but this is the list I'm on.
> .. . .  I'm a marginal Unix-person, who used FreeBSD because Apache ran on
> it, and it has been dependable for nearly 2-years. . . So dependable that I
> have not had to get deep into Unix to keep it crusin' . . . . . now I've got
> trouble. . . . .
> 
>      Running a webserver on 2.2.5 / Apache, loaded update 10/21/97, running
> continuously since that date.
> 
>      Security file this morning noted:
> 
> checking setuid files and devices:
> www setuid diffs:
> 2d1
> < -r-xr-sr-x  1 bin   kmem      167936 Oct 21 10:15:06 1997 /bin/ps
> 48d46
> < -r-xr-sr-x  2 bin   kmem     16384 Oct 21 10:19:37 1997 /usr/bin/uptime
> 54d51
> < -r-xr-sr-x  2 bin   kmem     16384 Oct 21 10:19:37 1997 /usr/bin/w
> checking for uids of 0:
> root 0
> toor 0
> 
> The "uids" have never been anything but "0" . . . .  but the other lines
> seemed to indicate a HACK.  A quick directory check showed a number of files
> changed between 3-6 am, some with "kmem" some with other owners. and a
> specific file in /bin: "libtcl76.a"
> 
> -r-xr-xr-x  1 bin   bin        40960 Oct 21  1997 hostname
> -r-xr-xr-x  1 bin   bin        40960 Oct 21  1997 kill
> -rw-r--r--  1 root  bin       308582 Jul 30 05:41 libtcl76.a
> -r-xr-xr-x  1 bin   bin        40960 Oct 21  1997 ln
> -r-xr-xr-x  1 bin   bin       155648 Oct 21  1997 ls
> -r-xr-xr-x  1 bin   bin        40960 Oct 21  1997 mkdir
> 
> All password files had been updated during this time, and a user account was
> changed.
> 
>      Before I could get downstairs to the server, the "libtcl76.a" file
> dissappeared.  My "messages" log was deleted, and there were no httpd-access
> or -error entries for that period of time . . .  Like an "alien" abduction,
> all overt evidence was erased, but I expect this is a more common "earthly"
> problem than that. . . .  There was one last entry on the terminal screen,
> that a mail error had occurred from "noc.ipspeed.net" -- they show up in
> internic as a new ISP in california (I'm on the east coast), so they should
> not have been the last bounce for mail to me, and I'm not sure what
> connection, if any, they are to my other problem  . . .
>
> QUESTIONS:  (1)  Is this a known hack ???

It's not a "known hack", but you certainly had intruder activity.

>                       (2)  What else should I assume is corrupt, beyond
> password and user files.

Everything.  Extract your *data* only to a backup device, reinstall and 
reconfigure from scratch.  You should be performing regular data 
backups, so this should be pretty straightforward.

>  And how do I "delete" a user . . .  sysinstall
> lets me ADD, but not DELETE, and when it adds it puts stuff in several
> different files, so I assume I'll need to go to each of these areas to
> delete the specific user-info . . . .  ??

'pw userdel <username> -r' is pretty effective.

>                       (3)  What do I do to keep it from happening again ???

If you're running the Qualcomm pop server 'popper' you should upgrade it
as there are known exploits.  In general, you should ensure that you
subscribe to the freebsd-security list, and check out the security
advisories on a regular basis.  When you reinstall, I would suggest
moving to 2.2.7 and correspondingly upgrading apache and any CGI
utilities that you're using.

Be aware that while your system is in its compromised state (ie. now) 
it is quite likely being used to attack other systems.

-- 
\\  Sometimes you're ahead,       \\  Mike Smith
\\  sometimes you're behind.      \\  mike@smith.net.au
\\  The race is long, and in the  \\  msmith@freebsd.org
\\  end it's only with yourself.  \\  msmith@cdrom.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message