Date: Sat, 29 Aug 1998 01:20:08 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: Brendan Kosowski <brendan@bmk.com.au> Cc: FreeBSD Security <freebsd-security@FreeBSD.ORG> Subject: Re: FreeBSD 2.2.5 Security Problem Message-ID: <Pine.BSF.3.96.980828233651.475E-100000@aniwa.sky> In-Reply-To: <Pine.BSF.3.96.980827121129.2189A-100000@garfield.bmk.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Aug 1998, Brendan Kosowski wrote:
> I suspect a regular security break-in on my FreeBSD 2.2.5 system for the
> following reasons :
>
>
> ( Note1 : my system has a small number of users which I know well )
> ( Note2 : my inetd.conf only enables FTPD, TELNETD & POPPER )
Popper looks like your problem. You probably know that by now, but your
probelm doesn't end there.
> 1. My Internet costs increased by 10 times last month.
If you know which ip's or subnets all of your legitimate users will be
connecting from, you can set up rules with ipfw to log all packets from
outside those areas, or to ports you don't expect to be used. If the
number of incoming connections is small, you could just set up a single
rule:
ipfw allow log tcp from any to ${your_ip} from any setup
It won't catch udp traffic etc, but chances are it will be enough to find
out where your hacker is coming from. Better still set ipfw up to block
and log all but the minimum range of traffic you can get away with in
order to provide normal service.
There is a danger of letting your hacker know you're onto them before you
cut them out because a scared hacker who wants to cover all traces of
their access may try to delete stuff rather indiscriminately.
> 2. I often see 2 SHELLS running when I do a "ps -ax" even though I am the
> only person listed when I do a "who".
Who will only list shells under particular circumstances, and in
particular it won't list non-interactive shells the non-interactive shells
which get spawned by lots of system and other processes. I'd be
suspicious of shells which persist (same pid) over time, or perhaps where
there are other reasons to suspect foul play. Seems like you probably
have those. There are ways to avoid appearing in 'who'.
> 3. My SYSLOG messages file has lots of telnetd "undefined errors" during
> times when NO ONE is using the system.
Very suspicious.
> Does anyone have AN OFFICIAL LIST OF FreeBSD 2.2.5 SECURITY HOLES and
> HOW TO FIX THEM ???
I hope not. Known holes should be plugged, not listed. To find out about
current problems though, search the archives of the freebsd security
lists, and the bugtraq archives at www.geek-girl.com.
If you have system accounting turned on, you might want to try "sa -u".
Otherwise, turning it on (in rc.conf) might be useful for figuring out
what they're doing. Also check for stuff in history files in home
directories.
When you think you have your hacker online, you might use things
like 'watch' (hrmm, probably not using a tty if they're not in 'who'),
'lsof', 'ktrace'. 'last' can be used to look at login times and where the
login was from.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980828233651.475E-100000>