Date: Sat, 29 Aug 1998 01:20:08 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: Brendan Kosowski <brendan@bmk.com.au> Cc: FreeBSD Security <freebsd-security@FreeBSD.ORG> Subject: Re: FreeBSD 2.2.5 Security Problem Message-ID: <Pine.BSF.3.96.980828233651.475E-100000@aniwa.sky> In-Reply-To: <Pine.BSF.3.96.980827121129.2189A-100000@garfield.bmk.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Aug 1998, Brendan Kosowski wrote: > I suspect a regular security break-in on my FreeBSD 2.2.5 system for the > following reasons : > > > ( Note1 : my system has a small number of users which I know well ) > ( Note2 : my inetd.conf only enables FTPD, TELNETD & POPPER ) Popper looks like your problem. You probably know that by now, but your probelm doesn't end there. > 1. My Internet costs increased by 10 times last month. If you know which ip's or subnets all of your legitimate users will be connecting from, you can set up rules with ipfw to log all packets from outside those areas, or to ports you don't expect to be used. If the number of incoming connections is small, you could just set up a single rule: ipfw allow log tcp from any to ${your_ip} from any setup It won't catch udp traffic etc, but chances are it will be enough to find out where your hacker is coming from. Better still set ipfw up to block and log all but the minimum range of traffic you can get away with in order to provide normal service. There is a danger of letting your hacker know you're onto them before you cut them out because a scared hacker who wants to cover all traces of their access may try to delete stuff rather indiscriminately. > 2. I often see 2 SHELLS running when I do a "ps -ax" even though I am the > only person listed when I do a "who". Who will only list shells under particular circumstances, and in particular it won't list non-interactive shells the non-interactive shells which get spawned by lots of system and other processes. I'd be suspicious of shells which persist (same pid) over time, or perhaps where there are other reasons to suspect foul play. Seems like you probably have those. There are ways to avoid appearing in 'who'. > 3. My SYSLOG messages file has lots of telnetd "undefined errors" during > times when NO ONE is using the system. Very suspicious. > Does anyone have AN OFFICIAL LIST OF FreeBSD 2.2.5 SECURITY HOLES and > HOW TO FIX THEM ??? I hope not. Known holes should be plugged, not listed. To find out about current problems though, search the archives of the freebsd security lists, and the bugtraq archives at www.geek-girl.com. If you have system accounting turned on, you might want to try "sa -u". Otherwise, turning it on (in rc.conf) might be useful for figuring out what they're doing. Also check for stuff in history files in home directories. When you think you have your hacker online, you might use things like 'watch' (hrmm, probably not using a tty if they're not in 'who'), 'lsof', 'ktrace'. 'last' can be used to look at login times and where the login was from. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980828233651.475E-100000>