Date: Tue, 29 Jun 2004 19:26:41 -0700 (PDT) From: Dave <mudman@metafocus.net> To: Andrew Johns <ajohns@firstpointglobal.com> Cc: freebsd-security@freebsd.org Subject: Re: ttyv for local only? Message-ID: <20040629191556.L47985@metafocus.net> In-Reply-To: <32866.192.168.100.1.1088557520.squirrel@192.168.100.1> References: <200406282221.i5SMLMA06797@giganda.komkon.org> <32866.192.168.100.1.1088557520.squirrel@192.168.100.1>
next in thread | previous in thread | raw e-mail | index | archive | help
I didn't think syslogd was open to the world by default? Just in case, I now blocked off port 514 for UDP. If it was, then I was just running it open to the world for 2 years and finally noticed :) I guess its not commonly picked on. I also wrote a little program (one of those "in hello world time" to make things) that watches the file sizes of a small handful of files and fires off a really loud mp3 if they change :) A kind of hacky way to see if I can catch someone red-handed modifying things like ps, sockstat, sh, getty, etc.. I can't find the entries that the periodic security mailings found. I'm just going to hope I am looking in the wrong spot rather than the worse case that, say, someone decided to go back and clean them up but not before periodic noticed. :( messages and auth.log arn't showing anything, but they do seem to show failures I have deliberately generated to see where they were going. I am feeling better after the fresh recompile though. I'll see how it plays out. I don't want to format until I'm sure I'm really compromised or if I'm just tripping, or as you said, someone is goofing off with my syslogd. On Wed, 30 Jun 2004, Andrew Johns wrote: > Is your syslogd allowing remote access from the 'net? In light of the > fact that no one should be able to physically stand at the console, it > sounds as though someone is sending spurious entries to it... or else your > box has been compromised and they're using other methods for fun, although > why they would do this if it's already compromised is a good question... > > HTH > dm > > > > console none unknown off secure > > ttyv0 "/usr/libexec/getty Pc" cons25 on secure > > # Virtual terminals > > ttyv1 "/usr/libexec/getty Pc" cons25 on secure > > ttyv2 "/usr/libexec/getty Pc" cons25 on secure > > ttyv3 "/usr/libexec/getty Pc" cons25 on secure > > ttyv4 "/usr/libexec/getty Pc" cons25 on secure > > ttyv5 "/usr/libexec/getty Pc" cons25 on secure > > ttyv6 "/usr/libexec/getty Pc" cons25 on secure > > ttyv7 "/usr/libexec/getty Pc" cons25 on secure > > ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure > > --- > > > > I don't really see a problem here. My mystery logins are actually still > > continuing. I'm going to see if I can code a mousetrap to find out who is > > doing it. I did a fresh source compile of world from the latest cvsup for > > 5.2.1 REL, and ran mergemaster to look for differing startup scripts... > > > > No luck yet. I wrote down the byte-sizes of sockstat, ps, and getty on a > > piece of paper. I'm going to watch them over the next couple of days. > > > > On Mon, 28 Jun 2004, Igor Roshchin wrote: > > > >> You might want to check your /etc/ttys file, > >> if it still shows ttyv* as for the console logins or for network logins. > >> > >> Igor > >> > >> > >> Igor Roshchin > >> System Administrator > >> KomKon Sites > >> > >> > >> > From igor@giganda.komkon.org Mon Jun 28 18:19:49 2004 > >> > Date: Mon, 28 Jun 2004 14:13:25 -0700 (PDT) > >> > From: Dave <mudman@metafocus.net> > >> > To: Neo-Vortex <root@Neo-Vortex.Ath.Cx> > >> > Cc: freebsd-security@freebsd.org > >> > Subject: Re: ttyv for local only? > >> > > >> > > >> > > >> > Hmm, I think I am in some kind of trouble. I have been getting login > >> > errors on ttyv that definitely couldn't be me. The only other person > >> who > >> > lives with me is my wife, and it isn't her either. > >> > > >> > qmail, popa3d, etc.. I am even getting them on my ftp too. > >> > > >> > If someone had root access, they should be able to know what I am > >> running > >> > on my system rather than trying these idiotic logins. In fact, they > >> could > >> > telnet to my mail port and look for the Sendmail greeting to know that > >> I > >> > don't run qmail, or portping 125 to see if I am running any kind of > >> POP3 > >> > server. A piece of me feels it is just some internet sweeper that > >> > mindlessly tries logging in or ftping to certain things, and moves to > >> the > >> > next IP address. I am also wondering if it is just a syslogd thing > >> that > >> > the login failures were simply reported on ttyv2 rather than actually > >> > happening there, but then why not ttyv0, which is the 'main' thing it > >> > prints to? > >> > > >> > I recently just backed up my system so I'm not feeling that bad > >> but.... > >> > but... how? There is no sense in making the same mistake twice. I > >> could > >> > run cvsup, compile a fresh binary of sockstat and ps to see if > >> anything is > >> > running... > >> > > >> > I'll consider turning snp off and recompiling my kernel. But that > >> would > >> > just get rid of the messages, not help me get to the heart of it. > >> > > >> > > >> > On Sun, 27 Jun 2004, Neo-Vortex wrote: > >> > > >> > > Hmmm, ttyv* is for local console's only (normally anyway) and ttyp* > >> is for > >> > > remote (ssh, screen, telnet, etc), are you sure some idiot didnt try > >> to > >> > > logon as qmaild in the third console when you wernt looking? > >> > > > >> > > On Sat, 26 Jun 2004, Dave wrote: > >> > > > >> > > > > >> > > > I get this in my security postings. > >> > > > > >> > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 > >> > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON > >> ttyv2, qmaild > >> > > > > >> > > > As it turns out, I'm not running qmail :) And if I did, it would > >> > > > definitely have a nologin shell. But that's beside the point- > >> > > > > >> > > > I have had a perception that ttyv was for local/console logins, > >> and that > >> > > > just "tty" was for remote logins. > >> > > > > >> > > > Is my understanding wrong here? > >> > > > > >> > > > > >> > > > _______________________________________________ > >> > > > freebsd-security@freebsd.org mailing list > >> > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > >> > > > To unsubscribe, send any mail to > >> "freebsd-security-unsubscribe@freebsd.org" > >> > > > > >> > > > >> > _______________________________________________ > >> > freebsd-security@freebsd.org mailing list > >> > http://lists.freebsd.org/mailman/listinfo/freebsd-security > >> > To unsubscribe, send any mail to > >> "freebsd-security-unsubscribe@freebsd.org" > >> > > >> > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040629191556.L47985>